Category: Intro
My check is so secure!
http://ctf10k.root-me.org:9000
Author : Elf#4541
When we visit the challenge page, we got a browser pop-up's, It asks us to provide the flag, but that's what we are looking for!
It means that it verify if the flag we provide is correct or not.
By inspecting the network, we can see that the page loads this script sc.js
, we can also access on it from the source code of the page.
The sc.js
file was minified and obfuscated at some part of it. Before anything, let's prettify it!
Well, now it's more readable, we can ignore all the obfuscation steps and focus only on what we have between the if
condition parentheses, but before this step let's quickly debug the result of the condition when it returns true
.
Not really interesting result, but at less it confirms to us our theory. To make the debugging convenient, let's download our two files /index.html
& /sc.js
and prettify a bit more our if condition...
if (
h.map(t => String.fromCharCode(t)).join("") == d.substring(5,22) &&
d.substring(0,5) == l &&
j.map(t => String.fromCharCode(t)).join("") == d.substring(22)
)
We can notice that the var d
is compared three times, that's mean it's our input, so what we need to do is to console.log
the second term of the ==
comparison to get the flag.
- In the bottom of our
/sc.js
, add:
console.log(`
# Debugging
a == d.substring(5,22) -> a: ${h.map(t => String.fromCharCode(t)).join("")}
l == d.substring(0,5) -> l: ${l}
x == d.substring(22) -> x: ${j.map(t => String.fromCharCode(t)).join("")}
# FLAG (l+a+x): ${
l +
( h.map(t => String.fromCharCode(t)).join("") ) +
( j.map(t => String.fromCharCode(t)).join("") )
}
`)
- Save it, refresh the page and just skip the pop-up
🚩 Flag: RM{s3cur1ty_thr0ugh_0bscur1ty}