CTF, Wargame,

CTF Hack.lu: 20 – Nerd safe house (+100 pt) write-up

Google Chrome 22


This zombie apocalypse is a tough thing. Dozens of zombies are following you and looking forward to have a nice snack, when some fat guy appears. You outrun him easily, so eating all of him will keep the zombies busy – for a while. So after you keep running a few blocks, you find a safe house. As you stand there panting, sweating and sighing at their door you notice: «Hey, I probably sound just like a zombie.» And this is where the automatic defense system kicks in. A big, laser-zoom explosion-looming automatic spring gun locks in on you. Nice.

That’s what you get for leaving a fat person behind. All your yelling «Help, help. I’m human and… and I have weapons» (a lie), remains unheard. When finally somebody responds on the intercom: «Oh are you? This safe house is for nerds only! Show us how smart you are and find the missing token.» So there you go.

Try solving the annoying puzzle at https://ctf.fluxfingers.net:2074/ or zombies will eat your soul!

credits: 100 +3 (1st), +2 (2nd), +1 (3rd)


So, just enter https://ctf.fluxfingers.net:2074/ and realize that appends ?cid=vp3E1nOGh7jwP and see a message of ‘Nothing to see here’. View-source: to see a history.replaceState(0,0,’?cid=vp3E1nOGh7jwP’); js method on it that appends a «cid» parameter. After analyzing the our cid string and search nothing about it, decide to disable js and reload  the page without cid parameter.

View-source: again and a fist look can’t see nothing but there’s a tipical horizontal scrolling on source code. Can see:

<strong>location.href = atob('P2NpZD12cDNFbG5PR2g3andQ');</strong>

See that site is telling us that is using atob() method. This function is to decode a base64 string. So, we decode P2NpZD12cDNFbG5PR2g3andQ manually and get ?cid=vp3ElnOGh7jwP parameter. The difference is 1 has change to l , so we replace the cid parameter and reload. Nothing happens in front of us but again, view source and …

<!– The secret is 14574e443ef2331439d25dc9da3b617e :D –>

token: 14574e443ef2331439d25dc9da3b617e









No hay contenido relacionado