Objective:
To get the flag from the HTML script given.
Topic Covered:
1. Programming Logic
2. Write a simple bruteforce script using Javascript
Descriptions:
It was a HTML file with embedded JS and WASM script in there. So, lets have some quick look at the code below.
For better understanding of the WASM for this challenge, please check out the link at the reference (Included the C code of the question too) there before continue.
At the first glance, the if…else function looks suspicious because the user input will compare with a base64 strings in order to verify its validity. Before the strings compare, there is a btoa() function that convert the user input into base64 strings. At first i tried to decode the base64 directly but the decoded strings contains some unprintable character 😒. Therefore, the encoding procedure of user input need to be reverse. To get a clearer ideas for me to create a brute force script, I separated the codes into three parts as below:
1. The WASM Module (Binary Function Loader)
var m = new WebAssembly.Instance(new WebAssembly.Module(bin));2. Encoding of User Input
var flag = prompt("teh flag?");
var strBuf = new TextEncoder().encode(flag.slice(0, 64));
var inBuf = new Uint8Array(m.exports.memory.buffer, offset, strBuf.length);
for (let i = 0; i < strBuf.length; i++) {
inBuf[i] = strBuf[i];
}
var morph = m.exports.morph(strBuf.length);
var outBuf = new Uint8Array(m.exports.memory.buffer, morph, strBuf.length);3. Strings Validation
btoa(new TextDecoder().decode(outBuf)) === "dxB9BH8RVRMKG1NPI3UyOFRIJyJObAZdXkF8DUEJ"Ideas & Code Analysis (Black Box View):
1. Find out the Uint8Array of the flag by reversing the btoa and decode function
2. It can see that the strBuf (from user input) will move its value into inBuf. The morph variable acts as a function that will convert the value of inBuf to outBuf.
In the white box view (From the C code of the question given), the getInStrOffset() actually read the from the first character address of the inBuf array. Therefore, the inBuf in line 15 able to access the memory of the inBuf in the C code. In line 17, the user input strings will copy to the first address of inBuf array until the end of user input string. Then, the morph() will encode the inBuf and store the encoded strings into outBuf.
3. Create bruteforce script by iterate the user input with printable characters.
4. Compare the Uint8Array value with the encoded flag. If correct, concatenate the character into flag variable. Repeat…
Here is the Bruteforce script to get the flag:
Thanks for reading my another CTF writeup and go try out yourself too 😊.
References:
- C Code of the Question:
https://wasdk.github.io/WasmFiddle/?1helou
https://www.cnblogs.com/Answer1215/p/7099324.html
