Lab/Room	TryHackMe - Authentication Bypass
Type	Challenge
Statut	Done
Date	10/02/2026

Context

Want to be a part of the elite club of CyberHeroes? Prove your merit by finding a way to log in!

Starting hypothesis

Authentication bypass.

Method / Used Tools

Site recon

While attempting to authenticate via /login.html, an unusual behavior immediately stood out. Clicking the login button did not trigger any observable HTTP request, which strongly suggested that the authentication logic was handled entirely on the client side rather than being validated by a backend service.

This assumption was reinforced by a quick inspection of the page sources:

The authentication logic was embedded directly inside login.html
JavaScript was responsible for validating credentials before any request was sent

<script>
  function authenticate() {
    a = document.getElementById('uname')
    b = document.getElementById('pass')
    const RevereString = str => [...str].reverse().join('');
    if (a.value=="h3ck3rBoi" & b.value==RevereString("54321@terceSrepuS")) { 
      var xhttp = new XMLHttpRequest();
      xhttp.onreadystatechange = function() {
        if (this.readyState == 4 && this.status == 200) {
          document.getElementById("flag").innerHTML = this.responseText ;
          document.getElementById("todel").innerHTML = "";
          document.getElementById("rm").remove() ;
        }
      };
      xhttp.open("GET", "RandomLo0o0o0o0o0o0o0o0o0o0gpath12345_Flag_"+a.value+"_"+b.value+".txt", true);
      xhttp.send();
    }
    else {
      alert("Incorrect Password, try again.. you got this hacker !")
    }
  }
</script>

Reviewing the loaded JavaScript revealed an authenticate() function responsible for the entire login process. The function retrieves the username and password values from the DOM and applies a simple transformation to the password before comparison.

The key logic relied on reversing a hardcoded string using a helper function. If both the username and the reversed password matched the expected values, an XMLHttpRequest was issued to retrieve a file containing the flag. Otherwise, a generic error message was displayed to the user.

Because the credentials were hardcoded and processed entirely client-side, no server-side protection or verification was in place, making the authentication trivial to bypass.

Flag

The JavaScript code revealed the following hardcoded credentials:

Username: h3ck3rBoi
Password (reversed at runtime): 54321@terceSrepuS

By reversing the password string manually: