picoCTF Solutions
picoCTF 2022Web ExploitationEasy

Local Authority

Published: July 20, 2023Updated: December 9, 2025

Description

The Local Authority portal hides its credentials inside ancillary JavaScript. Browse the secondary login file to enumerate referenced assets and recover the cleartext username/password pair.

Setup

Visit challenge site

View the page source; it references a POST to login.php even though that file isn’t linked anywhere.

Manually browse to /login.php to load the script includes, then inspect secure.js for hard-coded credentials.

Return to the original page and sign in with the recovered username/password to reach admin.php.

Solution

  1. Step 1Enumerate hidden assets
    Open login.php directly (e.g., http://saturn.picoctf.net:64710/login.php). The browser now lists secure.js among the sources.
  2. Step 2Read secure.js
    secure.js contains `const user = "robert"; const pass = "hannah";` (values may vary). Use them on the main login form.
  3. Step 3Retrieve the flag
    Successful authentication redirects to admin.php, which prints the picoCTF flag in plain text.

Flag

picoCTF{j5_15_7r4n5p4r3n7_b0c...}

Because the credentials live in front-end JavaScript, simply browsing to the referenced file is enough.