+++ author = "Maik de Kruif" title = "Novosibirsk Chemical plant" subtitle = "Beginners Quest 1 - Google CTF" date = 2021-09-22T14:26:25+01:00 description = "A writeup for challenge 1 of the beginners quests of the Google CTF." cover = "img/writeups/google-ctf/2021/beginners-quest/1/cover.png" tags = [ "Google CTF", "Beginners Quest", "ctf", "hacking", "writeup", "web", ] categories = [ "ctf", "writeups", "hacking", ] +++ ## Story line You have now investigated the chemical plant. Nothing seemed to be out of the ordinary, even though the workers acted somewhat passive, but that’s not a good enough to track. It seems like you have a new voice mail from the boss: "Hello there, AGENT! It seems like the corporation that owns the plant was informed by an anonymous source that you would arrive, and therefore they were prepared for your visit, but your colleague AGENT X has a lead in Moscow, we’ve already booked you a flight. FIRST CLASS of course. In fact if you look out of the window, you should be able to see a black car arriving now, and it will carry you to the airport. Good luck!" ### Link ## Recon Upon opening the given link, we see a website with a password form. When opening the source, we find the following javascript: ```js const checkPassword = () => { const v = document.getElementById("password").value; const p = Array.from(v).map((a) => 0xcafe + a.charCodeAt(0)); if ( p[0] === 52037 && p[6] === 52081 && p[5] === 52063 && p[1] === 52077 && p[9] === 52077 && p[10] === 52080 && p[4] === 52046 && p[3] === 52066 && p[8] === 52085 && p[7] === 52081 && p[2] === 52077 && p[11] === 52066 ) { window.location.replace(v + ".html"); } else { alert("Wrong password!"); } }; ``` ## Solving Let's start by analysing this script. It starts of by getting the input value, and splitting it in a list. It then uses the `map()` function to add `0xCafe` to every character. So "a" would become `97 + 51966 = 52063` (`97` is the ASCII value of `"a"`, and `51966` is decimal for `0xCafe`). To find the password, we only have to reverse the values given in the javascript code. To do this, I wrote a little python script: ```py code = { 0: 52037, 6: 52081, 5: 52063, 1: 52077, 9: 52077, 10: 52080, 4: 52046, 3: 52066, 8: 52085, 7: 52081, 2: 52077, 11: 52066, } password = "" for i in range(max(code.keys()) + 1): password += chr(code[i] - 0xCafe) print(password) ``` This prints the following result: `GoodPassword`. ## Solution If we enter the password (`GoodPassword`), we get redirected to this page: {{< figure src="/img/writeups/google-ctf/2021/beginners-quest/1/cctv.png" title="CCTV" >}} Here we can find the flag in the bottom left.