In this level, we should start by viewing the source code as usual. Searching for user or pass exhibits the following code:
<form method="POST">
<fieldset>
<label for="user">Username:</label>
<input type="Text" name="user" id="user" autocomplete="off"><br>
<label for="user">Password:</label>
<input type="Password" name="pass" id="pass" autocomplete="off"><br>
<input type="hidden" name="passwordfile" value="../../extras/ssap.xml">
<input type="submit" value="Submit" class="button">
</fieldset>
</form>
Line 872 here is interesting, because it defines a hidden tag with a “passwordfile” name. The ../../ refers to a filepath hosted on the server. Going back two directories (from /levels/main/4 to /levels/) and inserting the extras/ssap.xml path yields the following:
This suggests that the user is 999 and pass is 911.
The lesson here is not to store anything you don’t want the user to see in a <hidden> tag, as it’s not truly hidden if you’re pointing right at it.
| Previous: Main 3 | Next: Main 5 |