For the 2nd challenge you will need to bypass the login mechanism.
Visit <https://02.adventofctf.com> to start the challenge.
## Solution
When opening the website we're provided with a login form. If we fill in the form with random data, we're greeted with some text that says a guest cannot access the flag.
After trying serveral things, I opened the devtools to have a look at the cookies. Here we find a cookie with the name `authenticated`:
The result is some JSON data which specifies whether we are a guest or an admin.
Normally, we can easily alter the string to say we're an admin, but this time there is some weird non-printable character at the end. This means we can't easily modify it while still having the correct response. To circumvent this, I'll use `sed` to replace the string while keeping the non-printable character:
```bash
> echo "eyJndWVzdCI6InRydWUiLCJhZG1pbiI6ImZhbHNlIn0=" | base64 -d | sed 's/"guest":"true"/"guest":"false"/g' | sed 's/"admin":"false"/"admin":"true"/g' | base64
eyJndWVzdCI6ImZhbHNlIiwiYWRtaW4iOiJ0cnVlIn0=
```
If we put this string back into the cookie and refresh the page we get the flag: `NOVI{cookies_are_bad_for_auth}`.
This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#2-3).