This was one of the easiest challenges in the 2014 CTF, and it involved a simple web log in interface. Checking the page’s source code revealed nothing interesting so I entered a test username and password and was taken to a page telling me that the login had failed. Again, there was nothing interesting in the page’s source code. However, the URL of the log in failed page was:

i.e. as a massive flashing red light in an hacking challenge. Removing the URL encoding (using this became: `anzr` SEBZ `hfref` JURER `anzr` = 'nnnn' NAQ `cnffjbeq` = ZQ5('oooo')

As an additional test I entered abcdef as the username and 12345 as the password and got: `anzr` SEBZ `hfref` JURER `anzr` = 'nopqrs' NAQ `cnffjbeq` = ZQ5('12345')

abcdef seems to have become nopqrs and 12345 became 12345, so this is ROT13 encoding. ROT13 decoding ( the whole URL we get: `name` FROM `users` WHERE `name` = 'abcdef' AND `password` = MD5('12345')

I.e., SQL is being past to the login page as a query. We change this to a query that will always work: `name` FROM `users`

ROT13 encode it: `anzr` SEBZ `hfref`

URL encode it:

And going to this URL we get the flag:

Encrypted Login

Hello admin! The flag is flag{nobody_needs_server_side_validation}.