maik
/
Personal-Website
mirror of https://github.com/maikka39/Personal-Website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Repo for my website
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
196 Commits
2 Branches
2 Tags
80 MiB
Tag: Branch: Tree: 8c787ec1d3
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '8c787ec1d3'
${ noResults }
Personal-Website/content/writeups/adventofctf/2020/challenge_3.md

73 lines
2.5 KiB
Raw Normal View History Unescape

Add today's challenge
4 years ago
+++
author = "Maik de Kruif"
Set actual titles of the challenges as I only just found them
3 years ago
title = "Javascript"
Restructure writeups
3 years ago
subtitle = "Challenge 3 - AdventOfCTF"
Add today's challenge
4 years ago
date = 2020-12-03T09:29:12+01:00
Update descriptions
4 years ago
description = "A writeup for challenge 3 of AdventOfCTF."
Restructure writeups
3 years ago
cover = "img/writeups/adventofctf/2020/4f5cc0afbb9e7ec6a57cdd68a92b9213.png"
Add today's challenge
4 years ago
tags = [
"AdventOfCTF",
"challenge",
"ctf",
Update tags and categories
4 years ago
"hacking",
"writeup",
Add type of challenge to tag
4 years ago
"web",
Add more tags :)
4 years ago
"javascript",
Add today's challenge
4 years ago
]
categories = [
"ctf",
Update tags and categories
4 years ago
"writeups",
Add today's challenge
4 years ago
"hacking",
]
Add breadcrumbs, let writeup urls make more sense and add section pages
3 years ago
aliases = [
"challenge_3"
]
Add today's challenge
4 years ago
+++
- Points: 300
## Description
For this challenge you will, again, need to bypass the login mechanism.
Visit <https://03.adventofctf.com> to start the challenge.
## Solution
When opening the website we're provided with a login form. If we fill in the form with random data, nothing happens. Usually a website will do a `POST` request to a URL when submitting a form, but even that didn't happen. So my guess is that there is some javascript in play.
Let's open the source and take a look at the form. Here we can see that when the form is submitted, a javascript function called `checkPass()` is called.
```html
Set html size attributes for images
4 years ago
<form action="/index.php" onsubmit="checkPass(); return false"></form>
Add today's challenge
4 years ago
```
To find this funtion, enter `checkPass` in the devtools console and click on the three dots at the bottom of the output.
```js
Set html size attributes for images
4 years ago
function checkPass() {
var username = document.getElementById("username").value;
var password = document.getElementById("password").value;
var novi = "-NOVI";
if (password == btoa(username + novi)) {
window.setTimeout(function () {
window.location.assign(
"inde" + "x.php?username=" + username + "&password=" + password
);
}, 500);
}
Add today's challenge
4 years ago
}
```
We can see there is a check which checks if `password` is equal to `btoa(username + novi)`. But what is `btoa`? According to [w3schools](https://www.w3schools.com/jsref/met_win_btoa.asp):
> The btoa() method encodes a string in base-64.
To get the value of what the password should be, we have to know the output of `btoa(username + novi)`. Above this check, we see the `novi` variable is set to `'-NOVI'`. Now, we go to the devtools console and generate the password. In the console, enter `btoa("a" + "-NOVI")`. This returns `"YS1OT1ZJ"`, so lets try that combination. I used the username `"a"`. If we enter this combination in the form, we get redirected to a page with the flag.
This flag is `NOVI{javascript_is_not_s@fe}`.
This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#3-4).