maik
/
Personal-Website
mirror of https://github.com/maikka39/Personal-Website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Repo for my website
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
135 Commits
2 Branches
2 Tags
80 MiB
 
 
 
Tag: Branch: Tree: 5b63b29d5d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5b63b29d5d'
${ noResults }
Personal-Website/content/writeups/google-ctf/2021/beginners-quest/1.md

2.8 KiB
Raw Blame History

+++ author = "Maik de Kruif" title = "Novosibirsk - Chemical plant" subtitle = "Beginners Quest 1 - Google CTF" date = 2021-09-22T14:26:25+01:00 description = "A writeup for challenge 1 of the beginners quests of the Google CTF." cover = "img/writeups/google-ctf/2021/beginners-quest/1/cover.png" tags = [ "Google CTF", "Beginners Quest", "ctf", "hacking", "writeup", "web", ] categories = [ "ctf", "writeups", "hacking", ] +++

Story line

You have now investigated the chemical plant. Nothing seemed to be out of the ordinary, even though the workers acted somewhat passive, but that’s not a good enough to track. It seems like you have a new voice mail from the boss: "Hello there, AGENT! It seems like the corporation that owns the plant was informed by an anonymous source that you would arrive, and therefore they were prepared for your visit, but your colleague AGENT X has a lead in Moscow, we’ve already booked you a flight. FIRST CLASS of course. In fact if you look out of the window, you should be able to see a black car arriving now, and it will carry you to the airport. Good luck!"

Link

https://cctv-web.2021.ctfcompetition.com/

Recon

Upon opening the given link, we see a website with a password form.

When opening the source, we find the following javascript:

const checkPassword = () => {
  const v = document.getElementById("password").value;
  const p = Array.from(v).map((a) => 0xcafe + a.charCodeAt(0));

  if (
    p[0] === 52037 &&
    p[6] === 52081 &&
    p[5] === 52063 &&
    p[1] === 52077 &&
    p[9] === 52077 &&
    p[10] === 52080 &&
    p[4] === 52046 &&
    p[3] === 52066 &&
    p[8] === 52085 &&
    p[7] === 52081 &&
    p[2] === 52077 &&
    p[11] === 52066
  ) {
    window.location.replace(v + ".html");
  } else {
    alert("Wrong password!");
  }
};

Solving

Let's start by analysing this script. It starts of by getting the input value, and splitting it in a list. It then uses the map() function to add 0xCafe to every character. So "a" would become 97 + 51966 = 52063 (97 is the ASCII value of "a", and 51966 is decimal for 0xCafe).

To find the password, we only have to reverse the values given in the javascript code. To do this, I wrote a little python script:

code = {
    0: 52037,
    6: 52081,
    5: 52063,
    1: 52077,
    9: 52077,
    10: 52080,
    4: 52046,
    3: 52066,
    8: 52085,
    7: 52081,
    2: 52077,
    11: 52066,
}

password = ""

for i in range(max(code.keys()) + 1):
    password += chr(code[i] - 0xCafe)

print(password)

This prints the following result: GoodPassword.

Solution

If we enter the password (GoodPassword), we get redirected to this page:

{{< figure src="/img/writeups/google-ctf/2021/beginners-quest/1/cctv.png" title="CCTV" >}}

Here we can find the flag in the bottom left.