maik
/
Personal-Website
mirror of https://github.com/maikka39/Personal-Website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Repo for my website
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
40 Commits
2 Branches
2 Tags
73 MiB
 
 
 
Tag: Branch: Tree: dd4c43a9d4
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'dd4c43a9d4'
${ noResults }
Personal-Website/content/posts/adventofctf/challenge_3.md

2.4 KiB
Raw Blame History

+++ author = "Maik de Kruif" title = "Challenge 3 - AdventOfCTF" date = 2020-12-03T09:29:12+01:00 description = "Challenge 3 of AdventOfCTF." cover = "img/adventofctf/4f5cc0afbb9e7ec6a57cdd68a92b9213.png" tags = [ "AdventOfCTF", "challenge", "ctf", "hacking", "writeup", ] categories = [ "ctf", "writeups", "hacking", ] +++

  • Points: 300

Description

For this challenge you will, again, need to bypass the login mechanism.

Visit https://03.adventofctf.com to start the challenge.

Solution

When opening the website we're provided with a login form. If we fill in the form with random data, nothing happens. Usually a website will do a POST request to a URL when submitting a form, but even that didn't happen. So my guess is that there is some javascript in play.

Let's open the source and take a look at the form. Here we can see that when the form is submitted, a javascript function called checkPass() is called.

<form action="/index.php" onsubmit='checkPass(); return false'>

To find this funtion, enter checkPass in the devtools console and click on the three dots at the bottom of the output.

function checkPass()
{
    var username = document.getElementById('username').value;
    var password = document.getElementById('password').value;

    var novi = '-NOVI';

    if (password == btoa(username + novi)) {
        window.setTimeout(function() {
            window.location.assign('inde' + 'x.php?username='+ username +'&password=' + password);
        }, 500);
    }
}

We can see there is a check which checks if password is equal to btoa(username + novi). But what is btoa? According to w3schools:

The btoa() method encodes a string in base-64.

To get the value of what the password should be, we have to know the output of btoa(username + novi). Above this check, we see the novi variable is set to '-NOVI'. Now, we go to the devtools console and generate the password. In the console, enter btoa("a" + "-NOVI"). This returns "YS1OT1ZJ", so lets try that combination. I used the username "a". If we enter this combination in the form, we get redirected to a page with the flag.

This flag is NOVI{javascript_is_not_s@fe}.

This flag can then be submitted for the challenge.