Recently I found this incredible project called Root-Me which contains, among other things, over 200 challenges in different levels and topics of the cyber-security field. If you’re into hacking challenges and wargames I recommend you to check this site out.
I decided to document my solutions for some of the challenges and share it with you, so that beginners can learn and become better hackers. The first challenge we’re going to solve is called **Javascript – Authentication. **That’s the easiest one in the Web-Client category. The challenge, like almost all of the other basic challenges in this category uses a web designing code called HTML (Hyper Text Markup Language) and Javascript along with some others client-side languages. If you know very little or nothing about HTML or Javascript I heartily recommend you read about it either in a book or online.
Walkthrough
When entering the challenge we’re presented with a login form which requires a username and a password. The first thing to do is to check what happens when we try to connect with any username and password. I typed test:test, and as I pressed the login button an alert showed up saying: “wrong password”.
We know it’s a client-side challenge which involves JS (the title, duh) so let’s check out what’s really happening when we click the login button. To open the browser’s Inspector, right click on the login button and then select “Inspect Element” (you can also press F12, or Ctrl+U if you are old fashioned and prefer the good-old “View Source”).
Now we can view the source code of this page. Pressing the login button makes the browser call a Javascript function named “Login” (1) which exists in external script called “login.js”. You can view it under the <script> tag in the <head> section (2). Pressing the link shows the code of login.js.
This is the actually code that checks whether the credentials are valid or not. By reading this simple script we understand that the expected username is “**4dm1n” **and the password is “sh.org”. All we have to do now is go back to Root-Me and see if **sh.org **is the correct answer. And voilà, we did it. Easy peasy.
Eat Veggies
