Start-Up Troubles | CyberStart Completion

Start-Up Troubles

Briefing:

A successful new start-up that sells electric scooters has discovered a handful of their customers’ accounts have been hacked - guess who we believe might be behind it? Yep, you guessed it, the Yakoottees! Having only just entered the market and keen to maintain their otherwise excellent reputation, this business needs our help to run a security audit of their login system. Can you spot any security holes, perhaps some leaked data?

Tip: Successfully login to get the flag.

Hint:

As there’s nothing useful in the interface, check out the page source. You’ll find are some JavaScript variables being used and if the page can use them, it’s possible we can too! Perhaps open your browser developer tools, particularly the console and try outputting those variables.

How to Solve:

  1. Check the page source, notice there is a script:
    function doLogin (submittedEmail, submittedPassword) {
     var alertError = get('alert-error');
    
     if (submittedEmail !== email || submittedPassword !== password) {
         alertError.style.display = 'block';
         return;
     }
    
     executeLogin(submittedEmail, submittedPassword);
    }     
    
  2. Open the console, type in email and password.
  3. Notice that there is information stored in both variables.
  4. Use the login credentials to sign in.
    1. Email: bonita@zip-zap-rides.com
    2. Password: trustno1
  5. Click Sign in to get the flag.