This time Sam used a more temporary and "hidden" approach to authenticating users, but he didn't think about whether or not those users knew their way around javascript...
Level 10
Enter password
Please enter a password to gain access to level 10
Password:
___________________
|___________________|
submit
Solution:- If you type something into the field and submit, you will get the message below.
You are not authorized to view this page
- Let's see where is the authorization part. Since the page source code is a dead end, you should check the header or cookies (use Chrome Developer Tools or other Add-ons for Firefox).
You will find this information below.
Now, we know that Sam is using cookies based authentication method.
Cookie:level10_authorized=no;... - And we need to change the value of the cookie named "level10_authorized" to "yes" to pass the challenge.
- There are two ways to reach our goal. First, you can type anything in the field, then
- Using a application to intercept the request (e.g., Burp Suite).
Change value of level_authorized from "no" to "yes". - Use JavaScript. Type the javascript code below in the Chrome Javascript control panel.
javascript:function pwn(){document.cookie="level10_authorized=yes";}pwn();
- Using a application to intercept the request (e.g., Burp Suite).
- Send the request.
- Congratulations, you have successfully completed basic 10!