maik
/
Personal-Website
mirror of https://github.com/maikka39/Personal-Website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add today's challenge

Browse Source
pull/4/head
Maik de Kruif 4 years ago
parent 20a715a146
commit d80d1308f2
No known key found for this signature in database
GPG Key ID: 46C1200ACD3A432F
1 changed files with 62 additions and 0 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 62
      content/posts/adventofctf/challenge_3.md

62
content/posts/adventofctf/challenge_3.md
Unescape View File

@ -0,0 +1,62 @@
+++
author = "Maik de Kruif"
title = "Challenge 3 - AdventOfCTF"
date = 2020-12-03T09:29:12+01:00
description = "Challenge 3 of AdventOfCTF."
tags = [
"AdventOfCTF",
"challenge",
"ctf",
"hacking"
]
categories = [
"ctf",
"hacking",
]
+++
- Points: 300
## Description
For this challenge you will, again, need to bypass the login mechanism.
Visit <https://03.adventofctf.com> to start the challenge.
## Solution
When opening the website we're provided with a login form. If we fill in the form with random data, nothing happens. Usually a website will do a `POST` request to a URL when submitting a form, but even that didn't happen. So my guess is that there is some javascript in play.
Let's open the source and take a look at the form. Here we can see that when the form is submitted, a javascript function called `checkPass()` is called.
```html
<form action="/index.php" onsubmit='checkPass(); return false'>
```
To find this funtion, enter `checkPass` in the devtools console and click on the three dots at the bottom of the output.
```js
function checkPass()
{
var username = document.getElementById('username').value;
var password = document.getElementById('password').value;
var novi = '-NOVI';
if (password == btoa(username + novi)) {
window.setTimeout(function() {
window.location.assign('inde' + 'x.php?username='+ username +'&password=' + password);
}, 500);
}
}
```
We can see there is a check which checks if `password` is equal to `btoa(username + novi)`. But what is `btoa`? According to [w3schools](https://www.w3schools.com/jsref/met_win_btoa.asp):
> The btoa() method encodes a string in base-64.
To get the value of what the password should be, we have to know the output of `btoa(username + novi)`. Above this check, we see the `novi` variable is set to `'-NOVI'`. Now, we go to the devtools console and generate the password. In the console, enter `btoa("a" + "-NOVI")`. This returns `"YS1OT1ZJ"`, so lets try that combination. I used the username `"a"`. If we enter this combination in the form, we get redirected to a page with the flag.
This flag is `NOVI{javascript_is_not_s@fe}`.
This flag can then be submitted for the [challenge](https://ctfd.adventofctf.com/challenges#3-4).
Write Preview
Loading…
Cancel
Save