Open in app

Sign in

Write

Sign in

Flare-On 8 2021 Challenge #1: credchecker

Eviatar Gerzi
2 min readOct 26, 2021

--

After unzipping the file we received a HTML file (admin.html):

It ask for username and password but when I tried admin and 1234 as username and password I received an error.

I checked the file content and noticed the Javascript code:

var form = document.getElementById("credform");
var username = document.getElementById("usrname");
var password = document.getElementById("psw");
var info = document.getElementById("infolabel");
var checkbtn = document.getElementById("checkbtn");
var encoded_key = "P1xNFigYIh0BGAofD1o5RSlXeRU2JiQQSSgCRAJdOw=="function dataEntered() {
 if (username.value.length > 0 && password.value.length > 0) {
  checkbtn.disabled = false;
 } else {
  checkbtn.disabled = true;
 }
}function checkCreds() {
 if (username.value == "Admin" && atob(password.value) == "goldenticket") 
 {
  var key = atob(encoded_key);
  var flag = "";
  for (let i = 0; i < key.length; i++)
  {
   flag += String.fromCharCode(key.charCodeAt(i) ^ password.value.charCodeAt(i % password.value.length))
  }
  document.getElementById("banner").style.display = "none";
  document.getElementById("formdiv").style.display = "none";
  document.getElementById("message").style.display = "none";
  document.getElementById("final_flag").innerText = flag;
  document.getElementById("winner").style.display = "block";
 }
 else
 {
  document.getElementById("message").style.display = "block";
 }
}

It pretty easy to understand, the key is encoded and there is a code that decodes it, let’s check if we can use its algorithm to decode it so we won’t need to work hard and understand it.

This is the decode part:

var key = atob(encoded_key);
  var flag = "";
  for (let i = 0; i < key.length; i++)
  {
   flag += String.fromCharCode(key.charCodeAt(i) ^ password.value.charCodeAt(i % password.value.length))
  }

We already have the encoded_key and the password.value is the missing part.

Notice this check:

atob(password.value) == "goldenticket"

It using atob() on the password.value and compare it to “goldenticket”. We can reverse it and understand what value inside atob will result this string.

The atob function decodes a base-64 encoded string, so all we need to do is to encode the string “goldenticket” with the opposite function btoa.

After that we can use the same decoded code to decodes it and just need to change password.value to password. This is our decoded code:

var encoded_key = "P1xNFigYIh0BGAofD1o5RSlXeRU2JiQQSSgCRAJdOw=="
var password = btoa("goldenticket")
var key = atob(encoded_key);
var flag = "";
for (let i = 0; i < key.length; i++)
{
flag += String.fromCharCode(key.charCodeAt(i) ^ password.charCodeAt(i % password.length))
}

After running it we will recieve the flag:

flag: enter_the_funhouse@flare-on.com
Flareon8
Flare On
Ctf
Ctf Writeup

--

--

Eviatar Gerzi
Eviatar Gerzi

Written by Eviatar Gerzi

89 Followers
23 Following

Security researcher interested in reversing, solving CTFs, malware analysis, penetration testing and DevOps security (docker and Kubernetes)

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams