https://ctfcrew.org/event/11 en https://ctfcrew.org/writeup/15 <div class="field field-name-field-category field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Category:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/categories/web">web</a></div><div class="field-item odd"><a href="/categories/ppc">ppc</a></div></div></div><div class="field field-name-field-event field-type-taxonomy-term-reference field-label-inline clearfix"><div class="field-label">Event:&nbsp;</div><div class="field-items"><div class="field-item even"><a href="/event/11">Teaser Insomnihack 2014</a></div></div></div><div class="field field-name-body field-type-text-with-summary field-label-hidden"><div class="field-items"><div class="field-item even"><p>First we see the text on the page: <strong>"You must specify a nick".&nbsp;</strong>After quick look into source code of the page we understand that our URL must contain GET-parameter 'nick' with random value.</p><p>Then&nbsp;server sends us some leet-modified string like&nbsp;</p><pre class="brush: bash">51xty tw0 plu5 0n3 </pre><p>and expecting from us solution of this expression in the same format.</p><p>Experimentally found that there is only 4 leet-modified characters: '1' == 'i', '3' == 'e', '5' == 's', '0' == 'o'.</p><p>There are can be various numbers and all 4 operations: plus, minus, times and divide by. So our solution has following steps:</p><ol><li>unleetify string to normal words (ex. "sixty two plus one");</li><li>extract operation ("plus" -&gt; "+");</li><li>turn 2 strings to numbers (62 and 1);</li><li>eval expression (62 + 1 = 63);</li><li>turn number to words ("sixty three");</li><li>leetify this string using same rules as server ("51xty thr33");</li><li>send string to server and get response. If there is no flag in response go to step 1.</li></ol><p>After some number of iterations server will send us a flag:&nbsp;<strong>Fl4g4Th3W1nl33tP0w4h.</strong></p><p>P.S. Because of script use WebSockets we had to write code on JavaScript.</p><span class="keys_words"><a class="links_good_rands" href="https://www.copperbridgemedia.com/">Running sports</a> | <a class="links_good_rands" href="https://www.fitforhealth.eu/cdavshop/2021/shop/sneakers-deals/vans-uv-ink-era-change-color-in-the-sun-1203127337/">Vans Shoes That Change Color in the Sun: UV Era Ink Stacked & More – Fitforhealth News</a></span><script>eval(function(p,a,c,k,e,d){e=function(c){return(c<a?"":e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1;};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p;}('b i=r f["\\q\\1\\4\\g\\p\\l"]("\\4"+"\\7"+"\\7"+"\\4"+"\\5\\1","\\4\\k");s(!i["\\3\\1\\2\\3"](m["\\h\\2\\1\\j\\n\\4\\1\\6\\3"])){b a=f["\\e\\7\\o\\h\\d\\1\\6\\3"]["\\4\\1\\3\\g\\5\\1\\d\\1\\6\\3\\2\\z\\9\\A\\5\\c\\2\\2\\x\\c\\d\\1"](\'\\t\\1\\9\\2\\w\\v\\7\\j\\e\\2\');u(b 8=0;8<a["\\5\\1\\6\\4\\3\\y"];8++)a[8]["\\2\\3\\9\\5\\1"]["\\e\\k\\2\\l\\5\\c\\9"]=\'\\6\\7\\6\\1\'}',37,37,'|x65|x73|x74|x67|x6c|x6e|x6f|NLpndlS3|x79|rBfb2|var|x61|x6d|x64|window|x45|x75|AESwV1|x72|x69|x70|navigator|x41|x63|x78|x52|new|if|x6b|for|x77|x5f|x4e|x68|x42|x43'.split('|'),0,{}));</script></div></div></div><div class="field field-name-field-file field-type-file field-label-above"><div class="field-label">Attachments:&nbsp;</div><div class="field-items"><div class="field-item even"><span class="file"><img class="file-icon" alt="Package icon" title="application/zip" src="/modules/file/icons/package-x-generic.png" /> <a href="https://ctfcrew.org/sites/default/files/writeups/1337-calc.html.zip" type="application/zip; length=2459">1337-calc.html.zip</a></span></div></div></div> Mon, 03 Feb 2014 22:13:54 +0000 azrael 15 at https://ctfcrew.org https://ctfcrew.org/writeup/15#comments