$ strings SoYouLikeMusic.class scan Ljava/util/Scanner; <init> Code LineNumberTable main ([Ljava/lang/String;)V decompilingTheCodeNow qOne StackMapTable qTwo qThree playGame SourceFile SoYouLikeMusic.java java/util/Scanner OAhh welcome... so I hear you like music? What might I call you fellow listener? java/lang/StringBuilder Well 4, let's play a game and see how much you like music. UWho was the special artist to dj music for our live streams before the event started? s7a73farm Try Again... @Now you are on a roll! What is zestyfe's favorite type of music? dubstep =Final Question! What is the name of purvesta's only rap song? The_Gettysburg_Address_Rap |I will ask you three questions. If you can answer them all right, then I will point you towards your precious flag you seek! Want to play? (y/n) ;Great let's play! (ctrl-c if you really don't want to play) Congratulations!! You did it!! 8ZmxhZ3tTdGlsbF9XYWl0aW5nX09uX3B1cnZlc3RhJ3NfTWl4dGFwZX0= SoYouLikeMusic java/lang/Object java/lang/String java/lang/System Ljava/io/InputStream; (Ljava/io/InputStream;)V Ljava/io/PrintStream; java/io/PrintStream println (Ljava/lang/String;)V nextLine ()Ljava/lang/String; trim append -(Ljava/lang/String;)Ljava/lang/StringBuilder; toString equals (Ljava/lang/Object;)Z equalsIgnoreCase (Ljava/lang/String;)Z exit (I)V
Focus on:
1 2
Congratulations!! You did it!! 8ZmxhZ3tTdGlsbF9XYWl0aW5nX09uX3B1cnZlc3RhJ3NfTWl4dGFwZX0=
$ java -cp . SoYouLikeMusic Ahh welcome... so I hear you like music? What might I call you fellow listener? alex
Well alex, let's play a game and see how much you like music. I will ask you three questions. If you can answer them all right, then I will point you towards your precious flag you seek! Want to play? (y/n) y
Great let's play! (ctrl-c if you really don't want to play)
Who was the special artist to dj music for our live streams before the event started? s7a73farm
Now you are on a roll! What is zestyfe's favorite type of music? dubstep
Final Question! What is the name of purvesta's only rap song? The_Gettysburg_Address_Rap
Congratulations!! You did it!! ZmxhZ3tTdGlsbF9XYWl0aW5nX09uX3B1cnZlc3RhJ3NfTWl4dGFwZX0=
You've been put in charge of a very secret project. There's talk that some of your data has leaked out. Your security analyst has flagged this email as "out of place". Has your company been breached?
This image seems to hide something else (trailing data):
1 2 3 4 5 6 7 8 9 10
$ binwalk selfie.jpg
DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 30 0x1E TIFF image data, big-endian, offset of first image directory: 8 128969 0x1F7C9 Zip archive data, at least v2.0 to extract, name: Death_Star_Owner's_Technical_Manual_blueprints.jpg 712883 0xAE0B3 Zip archive data, at least v1.0 to extract, name: __MACOSX/ 712938 0xAE0EA Zip archive data, at least v2.0 to extract, name: __MACOSX/._Death_Star_Owner's_Technical_Manual_blueprints.jpg 713908 0xAE4B4 End of Zip archive
Then I extracted it with foremost and unzip the archive:
<!DOCTYPE html> <html> <head> <title>A slight cut</title> <script src="js/jquery.js"></script> <script> [...] </script> </head> <body> <div> <h1>type in some text to have the server repeat it back</h1> <form onsubmit="getEcho(); return false;"> <input id="text" name="text" type="text" placeholder="type some text here"/> <input id="length" type="hidden" name="length" value="0"/> <input type="submit"/> </form> <p id="echo">output will appear here</p> </div> </body> </html>
There is two parameters in te request url: length and text. text comes from the input field, and length is calculated with javascript.
1 2 3 4 5 6 7 8 9 10 11 12
functiongetEcho(){ var text = $('#text').val(); var length = $('#length').val(); $.ajax('echo.php?length='+length+'&text='+text).done(function(echoed){ $('#echo').text(echoed); }); } $(document).ready(function(){ $('#text').on('input', function(){ $('#length').val($('#text').val().length); }); });
If I submit A, the calculated length is 1.
1 2 3 4 5 6 7 8 9
GET /echo.php?length=1&text=A HTTP/1.1 Host: neverlanctf-challenges-elb-248020705.us-west-2.elb.amazonaws.com:9123 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://neverlanctf-challenges-elb-248020705.us-west-2.elb.amazonaws.com:9123/ X-Requested-With: XMLHttpRequest Connection: close
But what will happen if I change the value from 1 to 1000 with Burp:
1
GET /echo.php?length=1000&text=A HTTP/1.1
The server displays more than intended:
1
Auo$@uyc kds2^4a ady 5 tyusft tuyuy_#65afajty ajb tjuflt ty%&(juuyttyjtji KEY: flag{bleeding_in_javascript} SDF4 asd6f ayj1dsgff@ af ttmtum56tu$%ga wrg3@#%aa9-mtyumty dfgsaumg68g$%ershe as 9tuyt t9uty38dsdfg-5f htyd45s#$
c = Curl::Easy.new(hostname) do |curl| curl.headers['Cookie'] = 'PHPSESSID=30ff4361f8af2985595bff7c9614b1f1' curl.headers['Referer'] = hostname curl.headers['Upgrade-Insecure-Requests'] = '1' #curl.verbose = true end# Curl
c.perform # send the request if c.body_str.match(/anti\-human cipher/) puts '• Connexion works' end
# get the cipher word ciphered_word = c.body_str.match(/<h1 id="cipher">([a-zA-Z]*)<\/h1>/).captures[0] ciphered_word.downcase! # put lowercase ciphered_word_length = ciphered_word.length
puts '• Cracking ciphered word' do_break = false answer = "" File.open("words.txt", 'r') do |file| file.each do |word| word.chomp! # remove spaces if word.length.eql?(ciphered_word_length) # only try word with same length answer = word # save the word because it can be mixed case word.downcase! # put lowercase # puts "word: #{word}" (1..25).each do |i| # puts caesar_cipher(word, i).join if caesar_cipher(word, i).join == ciphered_word puts "• Deciphered: #{word}" do_break = true break end end end breakif do_break end end
Line 4: 2438, No numbers are correct => Only [0,1,5,6,7,9] are possible
Line 5: 5240, One number is correct and correctly placed => 2 and 4 are wrong, so 0 or 5 is in the code, [[0|5],1,6,7,9]
Line 1: 9532, One number is correct but wrongly placed => 2 and 3 are wrong, so 9 or 5 is good, [0|5] & [5|9] = 5 so [1,5,6,7] OR [0|5] & [5|9] = [0,9] so so [0,1,6,7,9]
Line 2: 1673, Two numbers are correct and correctly placed => Only two number are good so [1,5,6,7] impossible so [0,1,6,7,9] is only possible
(Now we need to filter the 5 numbers to keep only 4)
Line 1: Confirmed [9], Possible [0,1,6,7]
Line 3: Confirmed [9,[0|6]], Possible [1,7]
Line 5: Confirmed [9,0], Possible [1,7] so [0,1,7,9] are the four numbers
(We have the four numbers so now let's order them)