This web application has a mysterious button that holds the key to success, but there's just one problem - it's completely deactivated! 🚫 The developers thought they were clever by disabling it, but client-side restrictions are rarely as secure as they appear. 💡 Put your browser manipulation skills to the test and discover how to breathe life back into this dormant button! 🔓
Navigate to
in your web browser. You'll see a simple web page with a large button labeled "Click me to get the flag!" that appears grayed out and unresponsive.
Right-click on the disabled button and select "Inspect" or "Inspect Element" to open the browser's Developer Tools. This will highlight the button element in the HTML source code.
<button id="flagButton" class="flag-button" disabled onclick="retrieveFlag()">
Click me to get the flag!
</button>
Notice the disabled
attribute that prevents the button from being clicked and the retrieveFlag()
function it calls.
There are several methods to enable the button:
In the Elements/Inspector tab of Developer Tools:
disabled
attribute in the HTMLSwitch to the Console tab in Developer Tools and execute:
document.getElementById('flagButton').disabled = false;
Or alternatively:
document.getElementById('flagButton').removeAttribute('disabled');
The retrieveFlag()
function is obfuscated, making it harder to understand directly. You can:
Once you've removed the disabled
attribute, click the button to trigger the retrieveFlag()
function. Monitor the Network tab to see the API call being made.
When the button is clicked, the obfuscated JavaScript function makes a POST request to /api/v2/secure/flag-service
with specific headers and payload:
Headers:
- Content-Type: application/json
- X-Request-Token: [base64 encoded timestamp]
- X-Button-Activated: true
Body:
{
"action": "retrieve_flag",
"timestamp": [current timestamp],
"source": "button_activation"
}
After clicking the activated button, the service responds with the flag in JSON format. The page will display a success message with the flag.
Advanced users might also try:
// Call the function directly after enabling the button
document.getElementById('flagButton').disabled = false;
retrieveFlag();
// Examine the obfuscated arrays to understand the API call
console.log(_0xa2b4); // View the string array
// Look for API endpoint and required headers
// Make the API call manually with proper headers
fetch('/api/v2/secure/flag-service', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-Request-Token': btoa('flag_request_' + Math.floor(Date.now()/1000)),
'X-Button-Activated': 'true'
},
body: JSON.stringify({
action: 'retrieve_flag',
timestamp: Math.floor(Date.now()/1000),
source: 'button_activation'
})
}).then(r => r.json()).then(console.log);
Monitor the Network tab in Developer Tools to see the API endpoint and request structure when the button is clicked, bypassing the need to deobfuscate the code.
Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.