Skip to main content

Imaginary ctf 2022 web

 CHALLENGE -1


RooCookie(100 points)


Hi Guys, Today I am going to walk you through the solution of RooCookie challenge it was on of the very easy challenges that was available in the web domain. 

It is more of a crypto challenge. We are provided with a link to the challenge website. When we go to the page we see a page like the one that is in the image



So, if we now try to see the page source code we will find a small section of code that is very interesting.

<script>
function createToken(text) {
let encrypted = "";
for (let i = 0; i < text.length; i++) {
encrypted += ((text[i].charCodeAt(0)-43+1337) >> 0).toString(2)
}
document.cookie = encrypted
}
</script>


This section of code is trying to create a cookie which is the encrypted username and password.

So, The main thing happening in the code is that the ascii value of each and every letter is getting added by a certain value and is right shifted by 0 which will not effect the value. Then it is converted to a binary string and is added to the encrypted string.

In this way we are getting the encrypted string..........

So, Our main goal is to convert the binary to decimal subtract the additional value and convert it into char....

one more important task is to find the length of each binary string. From the encryption code we get to know that the value that is being added is above 1024 which is 2^10 so we take 11 bits.

The Decryption algorithm which I wrote came down to:








Using this we Finally will be able to get the flag and I got it as:



   CHALLENGE-2



BUTTON(100 points)


In this challenge we have nothing in the page when we visit it. When we try to see the page source code OMG!!!!!. We have so many buttons and maximum all are not doing anything. 



So I used grep to find if there was any thing apart from button tag... and this is what I found.


It was not a direct challenge to have flag in the plain text. So, Now I tried for javascript....


Hmm.... We got a hit......

Now we need to understand the javascript code. This is a obfuscated code. We can see two function names called notSusFunction() and motSusfunclion(). We can even see the flag I tried but they will not work we will see why.

So, Now let us change the onclick function of a button and so we have motSusfunclion in place of notSusfunction.


So, We get the flag just like that...

ictf{y0u_f0und_7h3_f1ag!} This is the flag of the challenge..








Comments

Post a Comment

Popular posts from this blog

GET STARTED WITH SQLMAP

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. learn more...   So lets know how to use it....... Lets start with installation   FOR WINDOWS:                  In the official website of sqlmap we are provided with a zip file. Download it by clicking on it                 Extract it into a desired directory and you must have gotten a python file named sqlmap.py.                                                              So if you already have python installed in your machine continue and use command line python3  <path_to_sqlmap.py> <required_parameters>                           FOR LINUX:                          Most of the Linux machines already have sqlmap prebuilt                          If not, type in the following command in you terminal                                         $ sudo apt install sqlmap Now we have everything. So lets get into it.....
2 comments
Read more