By Yaakov Cohen


The link leads to a site with a login form:


Looking at the source code we see code for a websocket:


We also see how the user is authenticated. Let's see if we can use NoSQLi. We'll put admin as the username and ' || 1 == '1 as the password. It worked, but all we got is a popup saying Success!. Oh but they said the flag is the password for admin so maybe instead of trying to completly bypass the password check we can use it to find what the password is.

We know all the flags are in the format BSidesTLV{flag}. Using this knowledge we tried using the password ' || this.password[0] == 'B and we got Success!, looks like we can do this for all the characters of the password.

We skipped the first 10 characters because we knew they were BSidesTLV{ and guessed that the flag was less than 30 characters long.