Defend The Web is a website for solving Capture The Flag challenges. It provides a variety of challenges with different difficulty levels and covers several domains.
The problem: A blank password prompt given.
The solution: Opened inspect element and looked through the java script code. At the bottom, there was a keyword which was the solution to the challenge.
The problem: Password prompt asking you to enter a password.
The solution: After inspecting the page source, in the java script of the code there was a password, hex encoded: \x39\x32\x30\x61\x61\x30\x34\x36\x63\x38. Decoded this to text, using this tool: http://www.unit-conversion.info/texttools/hexadecimal/, and got the password: 920aa046c8
Problem: Password prompt where password is required.
Solution: Initially when clicking on the link to the challenge the URL is https://defendtheweb.net/playground/intro11?input. What can take your attention is that there is a question mark in the URL. So what does that mean?
A question mark in the URL represents the start of a query string, which is a set of key-pair values that are used by the server hosting the website. For example, if we have a website such as https://animal-pictures.org/animals, we would expect this search to return a page with a list of animals, however if the URL is https://animal-pictures.org/animals?location=CA, then this page would also show us a list of animals, but that list would be filtered and showing us only pictures of animals that were taken in Canada. However, the website should be developed in a way that it expects these parameters and can act upon them when they are received.
So, knowing this, having the url and inspecting the source code as such, doesn’t return anything significant since it doesn’t hold the information we need when it renders the page with ?input at the end of the URL.
However, if we try and delete the ?input and then type
, we can see the password hidden in the source code.