Hiding in plain sight

Challenge#

Password managers are for the nerds, I will just write mine down where I need it.

Application: https://pizzamario2025.mendixctf.com

Difficulty: Easy

Solution#

Where do we need passwords? At the login page! The Pizza Mario app has a custom login page. A quick search on this page and in the images did not reveal any hints or flags. Might there be another login page? New Mendix apps have by default a login.html for sign-in. Maybe that is still enabled? Append the url with login.html and we have the default login page.

That’s a fun background image… but where’s the flag? I can’t find it…Let’s revisit the custom login page and check if the Reset Password flow exposes any secrets. It can’t be this hard—or can it? Opening the browser to the login.html page again, this time on my main monitor… and there it is! I missed it initially because the browser was on my second, vertically positioned monitor, which hid the rest of the image.

Vulnerability#

This challenge links to TSU-09: Insecure UI Components, do not expose secrets to the client.

Flag#

This is fine.