PicoCTF Writeup – Client-side-again

# Information:

 

CTF Name: PicoCTF

CTF Challenge: Client-side-again

Challenge Category: Web Exploitation

Challenge Points: 200

PicoCTF 2019.

 

# Challenge Description: 

Can you break into this super secure portal? https://jupiter.challenges.picoctf.org/problem/60786/ or http://jupiter.challenges.picoctf.org:60786 

Hint: What is obfuscation?

# Writeup

In this challenge, we are given a link. Upon clicking on it this is the page that appears:  

It seems that we have to insert some kind of password to access the site and probably to get the flag. I decided to inspect the source code, it could have something relevant!   To do so I pressed F12. These were the contents of the index page after choosing the pretty-print option:  

It seems we have some kind of function, called verify that checks if the inserted password is correct. To do so it uses the array in line 9 called _0x5a46.    By doing a code read I was able to substitute some parts of the code with what I consider is the correct value, as such:  

I used the knowledge of JavaScript to determine positions 0x0, 0x1, and 0x2 of the array. I used the code logic to determine that in line 26 the only thing that could be is Password Verified and the same idea for line 35. After knowing this I used the clues provided and I tried to create a flag that made some kind of sense. Combining this information and knowing that picoCTF{ is the way the flags start and } the way they end I was able to reconstruct the flag, which is:  

Show flag
picoCTF{not_this_again_ef49bf}

Thank you very much for reading!

Cheers,

MRegra


Share this post:

Popular posts

Leave a Reply

Your email address will not be published. Required fields are marked *