This challenge can be found here in the Hacker101 CTF challenges. The flag will not be posted at the end of the challenge, but the steps are provided below for how to reach it.

In this challenge, the goal is to obtain the flag after changing the grades of the student Natasha Drew to all A's. Upon opening the challenge, there is a blank webpage with nothing except for a login prompt. In order to be able to change a student's grades, it is necessary to log in to the website using credentials that have a higher access level than student logins. Testing login pages for SQL Injection is a logical place to start.

In this challenge, the payload “ admin’ OR ‘1’=’1 “ being entered into both the username and password fields was enough to bypass the login screen and redirect to the student portal.

Upon gaining entry to the student portal, nothing on the page, with the exception of the "logout" button in the top right, is able to be clicked on, and the user is logged in as Rhonda Daniels. In order to continue, it is necessary to find a way to setup links for the student’s names so that their records can actually be viewed. When viewing the source code for the current page and opening the file titled "app.min.js", it can be seen that there is a specific function within the code called setupLinks() that will likely give access to the student's records if the variable s.admin is true. However, since clicking anything on the webpage is not possible at the moment, it is safe to assume that this variable is set to false.

When testing to see the value of s.admin in the developer console, it does, in fact, return false. Switching to the Debugging tab, or the Sources tab on Windows, breakpoints can be set in the code that will stop code execution on the selected line when the page is refreshed. This can be done by clicking the line number where the breakpoint should be set. Line numbers where breakpoints have been set will be highlighted blue.

A breakpoint can be set on the line that checks to see if s.admin is true. When the page pauses the code’s execution at the set breakpoint, s.admin can be set to true in the developer console.

After setting the variable to true in the console (shown in the picture above), the execution of the Javascript code on the current page can be resumed, and, just like that, links have been assigned to the students’ names and their records can be viewed by clicking on them. By clicking on the first student’s name, Nancie Brett, a new page is loaded where her grades are visible and can be edited. Since the goal of this challenge is to change the grades of Natasha Drew, not Nancie Brett, the next step is to figure out how to access Natasha’s records when her name is not available in the student portal.

There is a string of characters at the end of the URL on this page which has the possibility of being Base64 since it shares a similar style of randomness. Putting this string into a Base64 decoder, the resulting text is the string “Nancie_Brett”, establishing the fact that this “random string of characters” is simply the student’s name separated by an underscore encoded in Base64.

Since the URL is the student's name with an underscore between it, it would be reasonable to try encoding “Natasha_Drew” into Base64 and placing the resulting string of characters in place of the previously decoded string in the URL.

Placing this new Base64 string into the URL pulls up Natasha’s records in the same way Nancie’s were accessed. Using the available dropdown boxes, Natasha’s grades can be changed to A’s.

Once Natasha’s records are updated, a green box with the flag is displayed.