Rating:
We know that we need an 'admin' role, but the registration functionality checks if we register with the administrative role:
if(req.body.role?.toLowerCase() == 'admin')
As we previously saw, the flag will be exposed only if the output of 'role.toUpperCase()' would be 'ADMIN':
if(req.user.role.toUpperCase() === 'ADMIN')
return res.json({ message: `Hi Admin! Your flag is ${process.env.ADMIN_FLAG}` });
It means that we need to find an input for the 'role' value which will behave like this:
role.toLowerCase() == 'admin' //false
role.toUpperCase() === 'ADMIN' //true
And the solution for this is to use a character that looks like 'i' instead of the 'i' in 'admin' (Unicode normalization), for example 'Latin Small Letter Dotless I':
