What a cheat, I was promised a flag and I can't even log in. Can you get in for me? flagstorage.vuln.icec.tf. They seem to hash their passwords, but I think the problem is somehow related to this.
<script> $(function(){ var updatePassword = function(e){ // hash client side for better security, never leak the pw over the wire var sha = newjsSHA("SHA-256", "TEXT"); sha.update($(this).val()); $("#password").val(sha.getHash("HEX")); }; $("#password_plain").on("change", updatePassword); $("#form").on("submit", updatePassword); }); </script>
Script will send our password hashed on the network instead of plain text.
Login with random credentials.
Open your browser network analyser and see the POST params: username and password_plain that you filled + password containing e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 is the SHA256 hash of the null string according to this or if you try with https://crackstation.net/.
Description of the challenge tell us it's an SQLi so may be we need to inject username and let password_plain null so our hashed password will correspond to the hash we found.
Try a classic username: ' OR 1=1 # and null password instead of random password.
We get the flag: IceCTF{why_would_you_even_do_anything_client_side}.