BugBountyNotes Challenges – HTML Source View Writeup

Continuing my plan of going to a hundred different CTFs, Challenges and War Games websites around to clean all their challenges once and for all, just for fun.

This time I’m choosing BugBountyNotes challenges. BugBountyNotes is a website that helps beginners to connect to the Bug Bounty world. They offer online challenges, writeups, articles and any information that can give you the appropriate knowledge and experience to get you started with Bug Bounty. What differentiates BugBountyNotes from other challenge and war games websites is that these ones have a realistic approach as they were taken from actual issues found by security researchers in bug bounty programs, therefore you will have a much more hands-on and useful experience by nailing them, than in any other website.

Before we go any further it is important to always remember about the websites disclosure policy and my own.

Disclosure Alert:

The intention of each of my writeups is not giving away the solution, which would actually spoil the fun. My intention is to provide you with loads of information and the mindset used by attackers to find vulnerabilities.

I couldn’t find any BugBountyNotes disclosure policy preventing challenge results to be disclosed, but I have a very strict non-disclosure policy, and I’m trying my best not to violate it, therefore flags identified will always be redacted from my posts to encourage the reader to look for it by himself/herself. Only thing presented will be the methods.

Remember, always try to do solve it yourself first, try harder, read as much documentation about the problems as possible, talk to more experienced people, stress your mind out till you are (or think you are) completely out of ideas, doing otherwise would completely defeat the purpose of the challenge which is LEARNING. Only when you are out of ideas you should start looking for hints and writeups that could aid you in solving the problem. That’s what writeups are for, to help you think without giving you the answer. Writeups have to be considered a last resort.

Also remember that every writeup is different as different people have different backgrounds, therefore different ways to solve the same problem. Always try to find the solutions for your self.

That being said, let’s go for the writeups.

This developer didn’t realise people could view the HTML source. What can you find?

Some important information is given such as:

  1. Difficulty Level = Easy
  2. “Challenges do NOT require any bruteforcing/directory fuzzing/massive amounts of traffic unless clearly specified in the challenge information below.”
  3. “Note: This challenge just requires you to have a keen eye. Look carefully!”
  4. “Firstly, this developer hid his admin panel at a random subdomain he didn’t think anyone could find. Because of this thinking (didn’t think anyone would find it), the dev was kind of sloppy with how he secured his admin panel. Can you find a way in, and is there anything else vulnerable? (Hint: XSS?)”

The author rated this challenge as easy, so you don’t need to try that hard or overthink it.

Second part says that there is no need for any automated process, manual tests will do just fine. This is just a small note to all script kids that are only interested in getting the answer rather than understanding how it works. Do your job and study at least a little bit about the problem to have a better understanding of how it works before blindly asking for hints.

The third part is clear that it just requires some attention to details.

The fourth part is clear about the objectives and deals with the Developer disbelief that nobody could find the password anywhere.

By the time I solved this challenged it already provided 3 hints, which I didn’t use, but they are very useful for beginners. They are the following:

  1. HINT 1: “Right click, view source. What’s there?!”
  2. HINT 2: “login.js leads onto something else…”
  3. HINT 3: “There’s XSS. Try double decoding that value!”

But enough talking, let’s dive into the challenge. The title of this challenge says it all, we have to inspect the site, paying attention to the details and try to find the hidden content which will possibly provide us with real credentials to access the website.

After clicking on the “Start the challenge” button we see a popup window presenting the following URL: “https://www.bugbountytraining.com/challenges/challenge-2.php“. Once clicked, we are redirected to the following page:

Nothing out of the ordinary, just a login form asking for credentials, “Admin username” and “Admin password”. Inspecting the code of the page we find the following:

We can immediately notice a comment at the last line of the source code. It directs us to a JavaScript file called “login.js” on the root directory. When browsing this file at “https://www.bugbountytraining.com/challenges/login.js” we have this:

Again, we immediately see another JavaScript file called “/5ebe2294ecd0e0f08eab7690d2a6ee69.js” again in the root directory. After browsing to this file, we have this:

Now we got the password. Let’s quickly try it out back in our login page and see if it works:

Excellent.

I hope you enjoyed this writeup. See ya next time