finxol.io / blog
Personal blog finxol.io
blog
fork atom
blog / content / posts / writeup-404ctf-web-fiche-js.md
at main 2.8 kB view raw view rendered
1--- 2title: 404CTF Write-Up Fiché JS 3description: Write-up for the web challenge "Fiché JS" @ 404CTF 2022 4image: /blog/404ctf.png 5date: 2022-06-04 6authors: 7 - name: finxol 8tags: 9 - writeup 10 - 404ctf 11published: true 12--- 13 14## 404CTF 15 16The [404CTF](https://404ctf.fr) is a CTF organized by the Direction Générale de la Sécurité Extérieure (DGSE), Télécom SudParis and 17its association Hackademint. 18This 2022 edition marked the double anniversary of "the 80th anniversary of the BCRA, the secret service of the Free France and 19the 40th anniversary of its heir, the DGSE". 20 21### Description 22 23*This is a translation of the original description in French.* 24 25After several months of digging into Hallebarde's past, we found an old file hosting platform that they used up until 2010. 26That's 12 years ago now! 27Security practices have changed radically since then and what seemed unbreakable then may not be so at all anymore. 28 29Your move: find a way to bypass the existing protection system and recover the files still hosted on this site! 30 31Author : **Artamis** 32 33## Solution 34 35At first, we only find a page containing a number pad. 36 37![Landing page](/posts/writeup-404ctf-web-fiche-js/page-web.png) 38 39From there, we can open our browser's developer console in order to find what is hidden behind this numpad. 40 41In the "Debugger" tab, we immediately notice a javascript file named `index.js`. 42After a quick read, we realise that this is the part that controls the number pad. 43 44There are several places that can be used to validate an entry code. 45Around line 129, there is an alternative that reacts to a key press on the keyboard. 46 47```js 48switch (e.keyCode) { 49 case 8: 50 backspaceOnPin(); 51 break; 52 case 13: 53 confirmPin(STATE.enteredPin); 54 break; 55 default: 56 break; 57} 58``` 59 60The `keyCode` 13 corresponds to the enter key. 61We can therefore set a breakpoint here by clicking on line number 129 to examine the behaviour of the `confirmPin()` function. 62Once the breakpoint is set, we can simulate a validation by pressing the enter key. 63 64The execution then halts correctly just before the `confirmPin()` function is called. 65We can then do F11, or *Step Into*, which brings us to what looks like a small file. 66 67```js 68/* FONCTIONNEMENT */ 69var key = $(".keypad").keypad(function (pin) { 70 if (pin == "240801300505131273100172") { 71 document.location.href = "./nob03y_w1lL_Ev3r_fiNd_th15_PaGe.html"; 72 } 73}); 74``` 75 76The code check is just a simple comparison, but it is not the code that we are interested in here. 77Indeed, if the code is correct, we are redirected to a supposedly hidden page. 78 79It is indeed on this mystery page that we find the flag, as well as the list of all the agents of Hallebarde. 80 81![Flag](/posts/writeup-404ctf-web-fiche-js/flag.png)