Siunam's Website

My personal website

Home About Me Blog CTF Writeups Projects

logon | Mar 3, 2023


Welcome to my another writeup! In this picoGym challenge, you’ll learn: Exploiting Broken Access Control (BAC)! Without further ado, let’s dive in.


Author: bobson


The factory is hiding things from all of its users. Can you login as Joe and find what they’ve been looking at? (link) or


Home page:

View source page:

<form role="form" action="/login" method="post">
        <div class="form-group">
            <input type="text" name="user" id="email" class="form-control input-lg" placeholder="Username">
        <div class="form-group">
            <input type="password" name="password" id="password" class="form-control input-lg" placeholder="Password">
    <div class="row">
        <div class="col-xs-12 col-sm-12 col-md-12">
            <input type="submit" class="btn btn-lg btn-success btn-block" value="Sign In">

In here, we see the home page has a login form.

When when clicked on the “Sign In” button, it’ll send a POST request to /login, with parameter user, password.

In the challenge’s description, it said:

“Can you login as Joe and find what they’ve been looking at?”

Now, we can try to login:

Burp Suite HTTP history:

When we sent a POST request to /login, it’ll redirect us to /flag, and set 3 new cookies: password, username, admin.


Hmm… The admin cookie looks sussy.

Let’s try to change it’s value to True:

Boom! We’re an admin now, and found the flag!

What we’ve learned:

  1. Exploiting Broken Access Control (BAC)