ABCTF - 35 - The Flash - Web Exploitation

Information#

Version#

By	Version	Comment
noraj	1.0	Creation

CTF#

• Name : ABCTF 2016
• Website : http://abctf.xyz/
• Type : Online
• Format : Jeopardy - Student
• CTF Time : link

Description#

Can you somehow get the flag from [this][this] website? [this]:http://yrmyzscnvh.abctf.xyz/web2/

Solution#

1. Display source code CTRL + U

<html>
	<head>
		  <link rel="stylesheet" href="main.css">
		  <link href='https://fonts.googleapis.com/css?family=Inconsolata' rel='stylesheet' type='text/css'>
		  <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.12.2/jquery.min.js"></script>
		   <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/0.97.6/css/materialize.min.css">

	</head>

	<body>
		<div class="row">
			<div class="col l6 push-l3">
				<center><h3 class="white-text">Web 2</h3><br></center>
			</div>
		</div>
		<div style="margin-top: 20%" class="row">
			<div class="col l4 push-l4">
				<form action="." method="post">
		  			<h5 class="white-text">Password: </h5>
		  			<input type="password" name="password" required>
		  			<input id="submit" type="submit" value="Submit">
				</form>
			</div>
		</div>

		<div class="row">
			<div class="col l4 push-l4" id="response-wrong">
				 			</div>
		</div>


	</body>

	<!-- c3RvcHRoYXRqcw== -->

			  <script type="text/javascript" src="fade.js"></script>

</html>

2. We can see a base64 string c3RvcHRoYXRqcw==

echo -n "c3RvcHRoYXRqcw==" | base64 -d && echo ""
stopthatjs

3. So use stopthatjs as password and then you see HAAAAaaaaaaaa! and the flag displayed very very shortly
4. Yes because there is this fade script: fade.js

$(document).ready(function(){
	$("#response-wrong").fadeOut(1500);

	setTimeout( function()
 	 {
  		$('#response').text('HAAAAaaaaaaaa!')
  		$('#response').fadeOut(1500);
	 }, 20);

});

5. So block it, for example with NoScript => ABCTF{no(d3)_js_is_s3cur3_dasjkhadbkjfbjfdjbfsdajfasdl}