OGN Challenge #5

This challenge can be found when Sally and Slim are hacking into the targeting system, the page before the terminal explodes.

The Setup

Help Sally and Slim disable voltage protection on the Lunar Mass Driver!

You'll find a link to a dashboard on the challenge page.

Disabling voltage protection

Let's try going through what a user would do when faced with this dashboard:

There is only one button, that corresponds to what we're trying to do (disable voltage regulation). Click on that.
There is a warning dialogue about the consequences of this action. The Yes button is unclickable.

This is a classic CTF challenge (and security flaw in many more websites than you'd imagine): the unclickable button can actually be clicked, if you modify the page's code. You'll need to have access to your browser's inspector. For Safari, enable Develop menu in Preferences > Advanced first. For other browsers it should be fine. Right-click on the button, and click Inspect. Notice how the Yes (Disabled) button tag has the disabled="" field attached to it. Double-click on disabled="" and delete it, then press Enter. The button is now clickable! Magic 🧙

The voltage protection is now disabled, and you get a nice flag to add to your collection 🚩

Hacker Mindset

This technique works because client-side validation can always be bypassed by users. In real applications, security checks must be enforced server-side.