El Malo de Batman

Level 1

Forensics

Digital Camouflage

Descripción reto: We need to gain access to some routers. Let's try and see if we can find the password in the captured network data: data.pcap.

Solución:
1.- Nos descargamos el archivo "data.pcap", lo abrimos con Wireshark y filtramos por "http".
2.- Nos dirigimos a la línea del método "POST", abrimos como "Follow HTTP STREAM" y nos mostrará

userid=laplantee&pswrd=dnlBalFHMGhoNg%3D%3DHTTP/1.0 200 OK

3.- La contraseña está cifrada en Base64, la decodificamos a "texto plano" y obtenemos el flag: "vyAjQG0hh6".

Special Agent User

Descripción reto: We can get into the Administrator's computer with a browser exploit. But first, we need to figure out what browser they're using. Perhaps this information is located in a network packet capture we took: data.pcap.

Enter the browser and version as "BrowserName BrowserVersion". NOTE: We're just looking for up to 3 levels of subversions for the browser version (ie. Version 1.2.3 for Version 1.2.3.4) and ignore any 0th subversions (ie. 1.2 for 1.2.0)

Solución:
1.- Descargamos el archivo data.pcap, lo analizamos con Wireshark, lo que buscamos es que navegador utilizan y su versión.
2.- Filtrando por http, podemos ir viendo línea por línea que "User-Agent" utilizan y en todas aparece Wget, excepto en una línea que aparece

User-Agent: Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36

3.- Buscamos un navegador que tenga 3 niveles de versión y el único es Chrome/40.0.2214.93.
4.- El flag es: Chrome 40.0.2214

Cryptography

Substitute

Descripción reto: A wizard (he seemed kinda odd...) handed me this. Can you figure out what it says?

Solución:
1.- Abrimos el archivo .txt y vemos el siguiente texto:

MIT YSAU OL OYGFSBDGRTKFEKBHMGCALSOQTMIOL. UTFTKAMTR ZB DAKQGX EIAOF GY MIT COQOHTROA HAUT GF EASXOF AFR IGZZTL. ZT CTKT SGFU, MIT YSACL GF A 2005 HKTLTFM MODTL MIAF LMADOFA GK A CTTQSB LWFRAB, RTETDZTK 21, 1989 1990, MIT RKTC TROMGKL CAL WHKGGMTR TXTKB CGKSR EAF ZT YGWFR MIT EGFMOFWTR MG CGKQ AM A YAOMIYWS KTHSOTL CITKT IGZZTL, LMBST AOD EASXOF, AMMAEQ ZGMI LORTL MG DAKQL, "CIAM RG EGFMKGSSOFU AF AEMWAS ZGAKR ZGVTL OF MIT HKTHAKTFML FADT, OL ODHWSLOXT KADHAUTL OF CIOEI ASCABL KTYTKTFETL MIT HALLCGKR, CIOEI DGFTB, AFR MITB IAR SOMMST YKGFM BAKR IOL YKWLMKAMTR EGSGK WFOJWT AZOSOMB COMI AFR OFROLHTFLAMT YGK MTAEI GMITK LMWROTL, AKT ACAKRL ZARUTL, HWZSOLITR ZTYGKT CTSS AL A YOKT UKGLL HSAFL CTKT GKOUOFASSB EIAKAEMTKL OF MIT LMKOH MG CIOEI LTTD MG OM CITF MTDHTKTR OF AFR IASSGCOFU MITB'KT LODHSB RKACOFU OF UOXTL GF" HKOFEOHAS LHOMMST ROLMGKM, KTARTKL EGDOEL AKT WLT, CAMMTKLGF MGGQ MCG 16-DGFMIL AYMTK KTLOLMAQTL A DGKT EKTAM RTAS MG EASXOF GYMTF IGZZTL MG ARDOML "LSODB, "ZWM OM'L FADTR A FOUIM GWM LIT OL HGOFM GY FGM LTTF IGZZTL MIT ZGGQL AM MIAM O KTDAOFOFU ZGGQ IADLMTK IWTB AKT AHHTAKAFET: RTETDZTK 6, 1995 DGD'L YKADTL GY EASXOF UOXTF A CAUGF, LGDTMODTL MIAM LG OM'L YAMITKT'L YADOSB FG EAFETSSAMOGFLIOH CAL HKTLTFML YKGD FGXTDZTK 21, 1985 SALM AHHTAK AZLTFET OF AFGMITKCOLT OM IAHHB MG KWF OM YGK MIOL RAR AL "A SOMMST MG MGSTKAMT EASXOF'L YADOSB RKACF ASDGLM EGDDTFRTR WH ZTOFU HTGHST OFLMAFET, UTM DAKKOTR ZB A RAFET EASXOF'L GWMSAFROLOFU MIT FTCLHAHTK GK MAZSGOR FTCLHAHTK ZWLOFTLL LIGC OL GF!" AFR LHKOFML GY EIOSRKTF'L RAR'L YKWLMKAMTR ZB MWKF IWDGK, CAL HWZSOE ROASGU MITKT'L FGM DWEI AL "'94 DGRTKFOLD" CAMMTKLGF IAL RTSOUIML GY YAFMALB SOYT CAMMTKLGF LABL LTKXTL AL AF AKMOLML OL RTLMKWEMOGF ZWLOFTLL, LHAETYAKTK GY MIT GHHGKMWFOMOTL BGW ZGMI A MGHOE YGK IOL IGDT MGFUWT-OF-EITTQ HGHWSAK MIAM OM CAL "IGF" AFR JWAKMTK HAUT DGKT LHAEOGWL EAFETSSAMOGF MIT HAOK AKT ESTAKSB OF HLBEIOE MKAFLDGUKOYOTK'L "NAH" LGWFR TYYTEM BGW MIOFQTK CAMMTKLGF ASLG UKTC OFEKTROZST LHAET ZWBL OF EGDDGFSB CIOST GMITKCOLT OM'L FADT OL FGMAZST LMGKBSOFT UAXT MIT GHHGKMWFOMOTL BGW EAFETSSAMOGF MIT "EASXOF GYYTK MG DAQT IOD OFEGKKTEM AFLCTKL CAMMTK AKMCGKQ GMITK GYMTF CIOEI OL TXORTFM MG GMITK LMKOH OL MG MITOK WLT GY KWSTL MIAM LIGCF GF LAFROYTK, CIG WLTL A EKGCJWOSS ZT LTTF "USWTR" MG MIT GFSB HTKL AFR IOL YAMITK LWHHGKM OL SWFEISOFT UAXT MITLT MIOF A BTAK OF DWSMODAMTKOAS AFR GZMAOF GF LAFMALB, IOL WLT, CAMMTKL ROASGUWT OL AF "AKMOLM'L LMAMWL AL "A ROD XOTC OF MIT TLLTFMOASSB MG DAQT IOD LTTD MG OFESWRTR MIAM EASXOF OL AF GRR ROASGUWT DGLM GY MIT ESWZ IAL TVHKTLLOGF GWMLORT AXAOSAZST MG

2.- Es un texto desordenado y en mayúsculas, usaremos la siguiente herramienta online
3.- Obtenemos el siguiente texto:

THE FLAG IS IFONLYMODERNCRYPTOWASLIKETHIS. GENERATED BY MARKOV CHAIN OF THE WIKIPEDIA PAGE ON CALVIN AND HOBBES. BE WERE LONG, THE FLAWS ON A 2005 PRESENT TIMES THAN STAMINA OR A WEEKLY SUNDAY, DECEMBER 21, 1989 1990, THE DREW EDITORS WAS UPROOTED EVERY WORLD CAN BE FOUND THE CONTINUED TO WORK AT A FAITHFUL REPLIES WHERE HOBBES, STYLE AIM CALVIN, ATTACK BOTH SIDES TO MARKS, "WHAT DO CONTROLLING AN ACTUAL BOARD BOXES IN THE PREPARENTS NAME, IS IMPULSIVE RAMPAGES IN WHICH ALWAYS REFERENCES THE PASSWORD, WHICH MONEY, AND THEY HAD LITTLE FRONT YARD HIS FRUSTRATED COLOR UNI?UE ABILITY WITH AND INDISPENSATE FOR TEACH OTHER STUDIES, ARE AWARDS BADGES, PUBLISHED BEFORE WELL AS A FIRE GROSS PLANS WERE ORIGINALLY CHARACTERS IN THE STRIP TO WHICH SEEM TO IT WHEN TEMPERED IN AND HALLOWING THEY'RE SIMPLY DRAWING IN GIVES ON" PRINCIPAL SPITTLE DISTORT, READERS COMICS ARE USE, WATTERSON TOOK TWO 16-MONTHS AFTER RESISTAKES A MORE CREAT DEAL TO CALVIN OFTEN HOBBES TO ADMITS "SLIMY, "BUT IT'S NAMED A NIGHT OUT SHE IS POINT OF NOT SEEN HOBBES THE BOOKS AT THAT I REMAINING BOOK HAMSTER HUEY ARE APPEARANCE: DECEMBER 6, 1995 MOM'S FRAMES OF CALVIN GIVEN A WAGON, SOMETIMES THAT SO IT'S FATHERE'S FAMILY NO CANCELLATIONSHIP WAS PRESENTS FROM NOVEMBER 21, 1985 LAST APPEAR ABSENCE IN ANOTHERWISE IT HAPPY TO RUN IT FOR THIS DAD AS "A LITTLE TO TOLERATE CALVIN'S FAMILY DRAWN ALMOST COMMENDED UP BEING PEOPLE INSTANCE, GET MARRIED BY A DANCE CALVIN'S OUTLANDISING THE NEWSPAPER OR TABLOID NEWSPAPER BUSINESS SHOW IS ON!" AND SPRINTS OF CHILDREN'S DAD'S FRUSTRATED BY TURN HUMOR, WAS PUBLIC DIALOG THERE'S NOT MUCH AS "'94 MODERNISM" WATTERSON HAS DELIGHTS OF FANTASY LIFE WATTERSON SAYS SERVES AS AN ARTISTS IS DESTRUCTION BUSINESS, SPACEFARER OF THE OPPORTUNITIES YOU BOTH A TOPIC FOR HIS HOME TONGUE-IN-CHEEK POPULAR THAT IT WAS "HON" AND ?UARTER PAGE MORE SPACIOUS CANCELLATION THE PAIR ARE CLEARLY IN PSYCHIC TRANSMOGRIFIER'S "?AP" SOUND EFFECT YOU THINKER WATTERSON ALSO GREW INCREDIBLE SPACE BUYS IN COMMONLY WHILE OTHERWISE IT'S NAME IS NOTABLE STORYLINE GAVE THE OPPORTUNITIES YOU CANCELLATION THE "CALVIN OFFER TO MAKE HIM INCORRECT ANSWERS WATTER ARTWORK OTHER OFTEN WHICH IS EVIDENT TO OTHER STRIP IS TO THEIR USE OF RULES THAT SHOWN ON SANDIFER, WHO USES A CROW?UILL BE SEEN "GLUED" TO THE ONLY PERS AND HIS FATHER SUPPORT IS LUNCHLINE GAVE THESE THIN A YEAR IN MULTIMATERIAL AND OBTAIN ON SANTASY, HIS USE, WATTERS DIALOGUE IS AN "ARTIST'S STATUS AS "A DIM VIEW IN THE ESSENTIALLY TO MAKE HIM SEEM TO INCLUDED THAT CALVIN IS AN ODD DIALOGUE MOST OF THE CLUB HAS EXPRESSION OUTSIDE AVAILABLE TO

4.- El flag es: IFONLYMODERNCRYPTOWASLIKETHIS

Hash101

Descripción del reto:
Prove your knowledge of hashes and claim a flag as your prize! Connect to the service at shell2017.picoctf.com:33628
UPDATED 16:12 EST 1 Apr.
Solución del reto:
1.- Abrimos una shell y conectamos con netcat.
david@mdb:~$ nc shell2017.picoctf.com 33628

Welcome to Hashes 101!

There are 4 Levels. Complete all and receive a prize!

2.- El nivel 1 sólos nos pide el resultado ASCII de un código binario, usaremos la herramienta online.

-------- LEVEL 1: Text = just 1's and 0's --------
All text can be represented by numbers. To see how different letters translate to numbers, go to http://www.asciitable.com/

TO UNLOCK NEXT LEVEL, give me the ASCII representation of 0111001101110111011011110111001001100100
>sword
Correct! Completed level 1

3.- En el nivel 2 nos pedirá el hexadecimal de la palabra anterior (en mi caso "sword") y el decimal de este. (Usaremos la misma tool online)

------ LEVEL 2: Numbers can be base ANYTHING -----
Numbers can be represented many ways. A popular way to represent computer data is in base 16 or 'hex' since it lines up with bytes very well (2 hex characters = 8 binary bits). Other formats include base64, binary, and just regular base10 (decimal)! In a way, that ascii chart represents a system where all text can be seen as "base128" (not including the Extended ASCII codes)

TO UNLOCK NEXT LEVEL, give me the text you just decoded, sword, as its hex equivalent, and then the decimal equivalent of that hex number ("foo" -> 666f6f -> 6713199)

hex>73776f7264
Good job! 73776f7264 to ASCII -> sword is sword
Now decimal
dec>495925031524
Good job! 495925031524 to Hex -> 73776f7264 to ASCII -> sword is sword
Correct! Completed level 2

4.- Para el nivel 3 se complica un poco mas, sinceramente, fué el que mas me costó porque pensaba demasiado, lo único que hice fué usar la "fuerza bruta". Simplemente fuí probando.....1....2.....3....jejeje

----------- LEVEL 3: Hashing Function ------------
A Hashing Function intakes any data of any size and irreversibly transforms it to a fixed length number. For example, a simple Hashing Function could be to add up the sum of all the values of all the bytes in the data and get the remainder after dividing by 16 (modulus 16)

TO UNLOCK NEXT LEVEL, give me a string that will result in a 2 after being transformed with the mentioned example hashing function

>1
incorrect. sum of all characters = 49 mod 16 = 1 does not equal 2
>2
Correct! Completed level 3

5.- En el nivel 4, nos pide que obtengamos la palabra tras el hash (MD5), puedes usar esta herramienta online.

--------------- LEVEL 4: Real Hash ---------------
A real Hashing Function is used for many things. This can include checking to ensure a file has not been changed (its hash value would change if any part of it is changed). An important use of hashes is for storing passwords because a Hashing Function cannot be reversed to find the initial data. Therefore if someone steals the hashes, they must try many different inputs to see if they can "crack" it to find what password yields the same hash. Normally, this is too much work (if the password is long enough). But many times, people's passwords are easy to guess... Brute forcing this hash yourself is not a good idea, but there is a strong possibility that, if the password is weak, this hash has been cracked by someone before. Try looking for websites that have stored already cracked hashes.

TO CLAIM YOUR PRIZE, give me the string password that will result in this MD5 hash (MD5, like most hashes, are represented as hex digits):
8bb421ff32a77382408a6e1539855e40

>r4m13
Correct! Completed level 4
You completed all 4 levels! Here is your prize: 953ddad21bc137ebd78021a585a840ad
6.- El flag es: 953ddad21bc137ebd78021a585a840ad

computeAES

Descripción del reto: You found this clue laying around. Can you decrypt it?
Solución del reto:
1.- Hacemos clic en el archivo "clue.txt" y obtenemos la siguiente información:

Encrypted with AES in ECB mode. All values base64 encoded
ciphertext = t1h0qbcOhRQF5E46bsNLimfbcI6egrKP4LHtKR3lT4UdWjhssM8RQSBT7S/8rcRy
key = T5uVzYtuBNv6vwjohslV4w==

Ya sabemos que el cifrado está en base64, pero no nos servirá usando una herramienta normal, ya que para obtener el texto oculto, necesitamos usar la contraseña cifrada.
2.- Yo utilicé esta herramienta online (aunque también se puede usar Python). Simplemente necesitamos "pasar" de base64 a hexadecimal e introducir los datos en los campos correspondientes de la herramienta online.
3.- El flag es: flag{do_not_let_machines_win_1e6b4cf4}

computeRSA

Descripción del reto: RSA encryption/decryption is based on a formula that anyone can find and use, as long as they know the values to plug in. Given the encrypted number 150815, d = 1941, and N = 435979, what is the decrypted number?

HINTS

decrypted = (encrypted) ^ d mod N

Solución del reto:
1.- Supongo que la solución se puede obtener usando otros lenguajes de programación, yo he usado Python y el código es el siguiente:

2.- El flag es: 133337

Web Exploitation

What Is Web

Descripción del reto: Someone told me that some guy came up with the "World Wide Web", using "HTML" and "stuff". Can you help me figure out what that is? Website.

Solución del reto:
1.- Hacemos clic en el enlace de Website y miramos su código fuente.

<!DOCTYPE html>
<html>
<head>
<title>Hello World!</title>
<link rel="stylesheet" type="text/css" href="hacker.css">
</head>
<body>

HI MOM! LOOK WHAT I MADE!

<h1>I used some tags.</h1>
<p>More tags!</p>
<h3>I typed here.</h3>

This is my cat. He is nice.
<br><br>
<img src="./cat.jpg" alt="Cat" /img>

<button type="button" onclick="sayHI()"> Click me to say hello!</button>

<script src="script.js"></script>

</body>
</html>

<!-- Cool! Look at me! This is an HTML file. It describes what each page contains in a format your browser can understand. -->
<!-- The first part of the flag (there are 3 parts) is fab79c49d9e -->
<!-- What other types of files are there in a webpage? -->

2.- Vemos que en el código fuente que ya tenemos la primera parte de nuestra flag: fab79c49d9e.
3.- Si seguimos observando, en negrita he marcado el archivo "hacker.css" y el archivo "script.js", posiblemente, dentro de estos archivo encontremos algo interesante.
4.- Código fuente del archivo "hacker.css": (sólo la parte que nos interesa)

/*
This is the css file. It contains information on how to graphically display
the page. It is in a seperate file so that multiple pages can all use the same 
one. This allows them all to be updated by changing just this one.
The second part of the flag is 5ba511a0f24 
*/

....

Ya tenemos la segunda parte del flag: 5ba511a0f24
5.- Código fuente del archivo "script.js": (sólo la parte que nos interesa)

/* This is a javascript file. It contains code that runs locally in your
 * browser, although it has spread to a large number of other uses.
 *
 * The final part of the flag is 36308e33e85
 */


function sayHI(){
 alert("Hi there!");
}

Ya tenemos la tercera y última parte del flag: 36308e33e85
6.- El flag es: fab79c49d9e5ba511a0f2436308e33e85

MISCELLANY

Internet Kitties

Descripción del reto: I was told there was something at IP shell2017.picoctf.com with port 56879. How do I get there? Do I need a ship for the port?
Solución del reto:
1.- Simplemente abrimos la terminal y usamos Netcat: nc shell2017.picoctf.com 56879
2.- Obtendremos el siguiente mensaje:

david@mdb:~$ nc shell2017.picoctf.com 56879
Yay! You made it!
Take a flag!
bab2372dd5c7289977016f356ddfbb2e

3.- El flag es: bab2372dd5c7289977016f356ddfbb2e

Descripción del reto: We found this annoyingly named directory tree starting at /problems/e9c1c685270e96936e44ad5768f23ce3. It would be pretty lame to type out all of those directory names but maybe there is something in there worth finding? And maybe we dont need to type out all those names...? Follow the trunk, using cat and ls!
Solución del reto:
1.-Abrimos la shell vía web y entramos en el directorio usando "cd
/problems/e9c1c685270e96936e44ad5768f23ce3"
2.- Hacemos un "ls" y nos visualiza una carpeta llamada "trunk". Ahora es cuando empieza el "mareo", tenemos que ir entrando en los diferentes directorios en busca de un archivo que tiene un flag.
3.- Si lo queremos hacer "rápido" usaremos grep -ir "flag" y nos dará la ruta donde se encuentra el archivo "flag".

/problems/e9c1c685270e96936e44ad5768f

23ce3/trunk/trunk60a9/trunkb46f/trunkeff2/trunk868a/trunk

0853/trunkf221/trunka18f

4.- Usamos cat flag y nos muestra la flag: b0e641edaceaa42e4d77e9f465516fdf

looooong

Descripción del reto: I heard you have some "delusions of grandeur" about your typing speed. How fast can you go at shell2017.picoctf.com:44909?
Solución del reto:
1.- Abrimos la terminal y ejecutamos un Netcat: nc shell2017.picoctf.com 44909 y nos dice que necesitamos teclear una "letra" un "nº veces" y que termine en un "número". (Si estás pensando en teclear tú y volver nuevamente no te servirá, ya que cada vez que conectes cambiará la letra, el nº de veces y el número final.

2.- Me monté un script en Python que me pidiera los datos "letra" y "nº de veces", con un print me lo imprimia y hacia "copy&paste" a la otra terminal (si, tenía 2 terminales abierta) y finalizaba el copiar y pegar poniendo yo "a mano" el último número.

david@mdb:~/Descargas/CTF PICO$ nc shell2017.picoctf.com 44909
To prove your skills, you must pass this test.
Please give me the 'c' character '569' times, followed by a single '3'.
To make things interesting, you have 30 seconds.
Input:
ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc3
You got it! You're super quick!
Flag: with_some_recognition_and_training_delusions_become_glimpses_84bb3b369444af45f140fa500f5e54c3

3.- El flag es: with_some_recognition_and_training_delusions_become_glimpses_84bb3b369444af45f140fa500f5e54c3

/forest/tree2763a4/trunk764d/trunke6d5/trunk7905/trunk0008/trunk95d7/trunkcbe5/trunk2319/branchc790/

WorldChat

Descripción del reto: We think someone is trying to transmit a flag over WorldChat. Unfortunately, there are so many other people talking that we can't really keep track of what is going on! Go see if you can find the messenger at shell2017.picoctf.com:38798. Remember to use Ctrl-C to cut the connection if it overwhelms you!
Solución del reto:
1.- Abrimos la terminal y escuchamos con Netcat: nc shell2017.picoctf.com 38798.
2.- Estamos viendo el chat

worldchat v2.3002.4
setting up readonly client..done
connecting to feed....done
Welcome to WORLDCHAT!

3.- Paramos el chat y usamos grep para buscar en él, lo que buscaremos será todo lo relacionado con la palabra "flag".

david@mdb:~$ nc shell2017.picoctf.com 38798 | grep "flag"
10:02:29 noihazflag: Several heavily mustached dolphins , in my well-educated opinion, are our best chance for what, I do not know
10:02:29 noihazflag: We want to see me to drink your milkshake
10:02:30 personwithflag: My friend wants to see me for what, I do not know
10:02:30 personwithflag: I would like to meet you to help me spell 'raspberry' correctly
10:02:30 flagperson: this is part 1/8 of the flag - 3572
10:02:30 personwithflag: You will never understand me to generate fusion power

4.- Vemos en negrita, que hay un nick llamado "flagperson" que nos está dando una pista de nuestra flag, exactamente nos indica la pista 1 de 8 del flag.
Ahora haremos una búsqueda pero filtrando por el nick "flagperson".

david@mdb:~$ nc shell2017.picoctf.com 38798 | grep "flagperson"
10:04:47 flagperson: this is part 1/8 of the flag - 3572
10:04:51 flagperson: this is part 2/8 of the flag - dd03
10:04:51 flagperson: this is part 3/8 of the flag - 4e91
10:04:54 flagperson: this is part 4/8 of the flag - 5f49
10:04:55 flagperson: this is part 5/8 of the flag - 3120
10:04:59 flagperson: this is part 6/8 of the flag - 885d
10:05:01 flagperson: this is part 7/8 of the flag - 41d5
10:05:11 flagperson: this is part 8/8 of the flag - 46c7

5.- La flag es: 3572dd034e915f493120885d41d546c7

MASTER CHALLENGE "Lazy Dev"

Descripción del reto: I really need to login to this website, but the developer hasn't implemented login yet. Can you help?
Solución del reto:

1.- Accedemos al sitio web, vemos un sólo campo y botón para aceptar la contraseña.
Accedemos al código fuente y vemos el siguiente archivo "client.js" (javascript), analizando el código, vemos que no tiene ninguna contraseña válida, sólo necesita un "true" para poder entrar.
2.- Yo he usado ZAP, pero se podría también haber realizado el "true" cambiando el "false" desde el editor web de Google Chrome o Mozilla Firefox.
Yo usaré el método ZAP: