Javascript

Why not ?

Another login form.

Once we look at the source code we find this.

        <script>

			// Look's like weak JavaScript auth script :)

			$(".c_submit").click(function(event) {

				event.preventDefault();
				var k = new Array(176,214,205,246,264,255,227,237,242,244,265,270,283);
				var u = $("#cuser").val();
				var p = $("#cpass").val();
				var t = true;

				if(u == "administrator") {
					for(i = 0; i < u.length; i++) {
						if((u.charCodeAt(i) + p.charCodeAt(i) + i * 10) != k[i]) {
							$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
							t = false;
							break;
						}
					}

				} else {
					$("#cresponse").html("<div class='alert alert-danger'>Wrong password sorry.</div>");
					t = false;
				}

				if(t) {
					if(document.location.href.indexOf("?p=") == -1) {
						document.location = document.location.href + "?p=" + p;
               			}
				}
			});
		</script>

The condition for the password can be found in

if((u.charCodeAt(i) + p.charCodeAt(i) + i * 10) != k[i]) {

So we know that the username is “administrator” and the k array is 13 characters long. We got to make sure that the unicode number of the first character of the username + the first character of the password + i times 10 is equal to the first number of the k array.

We’ll do a python script that will find the unicode number of the first letter

• i * 10 then substract it to the first number in the k array and that will give us the unicode number of the letter of the first character of the password.

We’ll create a python script to do it for us

k = [176,214,205,246,264,255,227,237,242,244,265,270,283]
username = "administrator"
password = []

for i in range(0,len(username)):
    unipass =  abs(i * 10 + ord(username[i]) - k[i])
    password.append(unipass)

print ''.join(map(unichr, password))

> OhLord4309111

If we login as administrator:OhLord4309111 we get the flag.

The flag being FLAG-65t23674o6N2NehA44272G24