The Flash (Web Exploitation) – 35


Can you somehow get the flag from this website?


This website is very similar to the previous Web Exploitation challenge. Looking inside the source, we see a similar commented out password.

<!-- c3RvcHRoYXRqcw== -->

However, using this password on the input box doesn’t seem to work. The password looks like it is encoded in base64 by the = symbols at the end, as = is used as a padding character. Running through a decoder we get the password.


Using this, the flag flashes before our eyes before being overwritten by ‘HAHHAHAHA’. But luckily for us we just check the source and see our flag there.