[CTF Series #3] Misc (JS Scripting)

Objective:
To get the flag from the HTML script given.

Topic Covered:
1. Programming Logic
2. Write a simple bruteforce script using Javascript

Descriptions:
It was a HTML file with embedded JS and WASM script in there. So, lets have some quick look at the code below.

For better understanding of the WASM for this challenge, please check out the link at the reference (Included the C code of the question too) there before continue.

At the first glance, the if…else function looks suspicious because the user input will compare with a base64 strings in order to verify its validity. Before the strings compare, there is a btoa() function that convert the user input into base64 strings. At first i tried to decode the base64 directly but the decoded strings contains some unprintable character 😒. Therefore, the encoding procedure of user input need to be reverse. To get a clearer ideas for me to create a brute force script, I separated the codes into three parts as below:

1. The WASM Module (Binary Function Loader)

var m = new WebAssembly.Instance(new WebAssembly.Module(bin));

2. Encoding of User Input

var flag = prompt("teh flag?");
var strBuf = new TextEncoder().encode(flag.slice(0, 64));
var inBuf = new Uint8Array(m.exports.memory.buffer, offset, strBuf.length);
for (let i = 0; i < strBuf.length; i++) {
inBuf[i] = strBuf[i];
}
var morph = m.exports.morph(strBuf.length);
var outBuf = new Uint8Array(m.exports.memory.buffer, morph, strBuf.length);

3. Strings Validation

btoa(new TextDecoder().decode(outBuf)) === "dxB9BH8RVRMKG1NPI3UyOFRIJyJObAZdXkF8DUEJ"

Ideas & Code Analysis (Black Box View):
1. Find out the Uint8Array of the flag by reversing the btoa and decode function
2. It can see that the strBuf (from user input) will move its value into inBuf. The morph variable acts as a function that will convert the value of inBuf to outBuf.

In the white box view (From the C code of the question given), the getInStrOffset() actually read the from the first character address of the inBuf array. Therefore, the inBuf in line 15 able to access the memory of the inBuf in the C code. In line 17, the user input strings will copy to the first address of inBuf array until the end of user input string. Then, the morph() will encode the inBuf and store the encoded strings into outBuf.

3. Create bruteforce script by iterate the user input with printable characters.

4. Compare the Uint8Array value with the encoded flag. If correct, concatenate the character into flag variable. Repeat…

Here is the Bruteforce script to get the flag:

Thanks for reading my another CTF writeup and go try out yourself too 😊.

References:
-
C Code of the Question:
https://wasdk.github.io/WasmFiddle/?1helou

https://www.cnblogs.com/Answer1215/p/7099324.html

Buy me a Pizza 🍕?

--

--

--

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

TryHackMe : OWASP Top 10 [Part 2]

Modes of Failure (Part 1)

Fuzzy Searches in VS Code: Tips to increase developer focus and productivity

C++ PROGRAM TO CONVERT NUMBERS INTO CHARACTERS!!!

Create a URL Shortener with Flask

Installing Xampp and Using It For Multiple Sites (on Windows 10)

Easy Setup of Dagger2 and other Components in a Multi-module App using Clean Architecture

An in-depth look at 100% Zero Downtime deployments with Terraform | Checkly

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GhouLSec

GhouLSec

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

More from Medium

Validation — HackTheBox

CTF Ware : Part 003 — Requests.txt & Executables.

Installing Ubuntu in Virtual Box

How to Use Waler to Inspect Your Docker Image?