Rating:

Since the name of the task and the hint both indicate that verification is done
client-side, let's look at the page's source. We find the following inline
script :

```javascript
function verify() {
checkpass = document.getElementById("pass").value;
split = 4;
if (checkpass.substring(split*7, split*8) == '}') {
if (checkpass.substring(split*6, split*7) == '06ac') {
if (checkpass.substring(split*5, split*6) == 'd_5e') {
if (checkpass.substring(split*4, split*5) == 's_ba') {
if (checkpass.substring(split*3, split*4) == 'nt_i') {
if (checkpass.substring(split*2, split*3) == 'clie') {
if (checkpass.substring(split, split*2) == 'CTF{') {
if (checkpass.substring(0,split) == 'pico') {
alert("You got the flag!")
}
}
}
}
}
}
}
}
else {
alert("Incorrect password");
}
}
```
It checks 4 characters of the provided password at a time, starting from the
end, against hardcoded strings. We just concatenate those strings fron the
innermost `if` statement to the outermost to get the flag :
`picoCTF{client_is_bad_5e06ac}`

Original writeup (http://blog.iodbh.net/picoctf2018-web-client-side-still-bad.html).