Web - pay2win

Easy | 247 solves | 50 points

Last updated 3 years ago

Web - pay2win

Easy | 247 solves | 50 points

Description

Kyle started an online magazine (The Daily Kyle) and published one of my articles on his site. Don't worry, the article literally contains the flag in plaintext, but if you want to read it you'll have to figure out how to bypass the paywall.

Solution

When we first visit the website, we are presented with a pop-up which is similar to your typical annoying advert.

After clicking No thanks to clear the pop-up, we try to scroll down the page but scrolling has been disabled.

The first step is of course to open the browser's developer tools to find out what is going on but developer tools was blocked too.

Upon launching developer tools, the page will automatically redirect to a YouTube Rick-Roll video.

We can however, view the page source and a particular line stood out.

It appears that the flag is dynamically written by the page's JavaScript and we can access it through the URL.

At this point, I immediately suspected I could copy the website and execute it locally. But before I launch the page locally, I simplified the JavaScript to only contain the script responsible for loading the flag.

function plantFlag () {
  const ciphertext = [234, 240, 234, 252, 214, 236, 140, 247, 173, 191, 158, 132, 56, 4, 32, 73, 235, 193, 233, 152, 125, 19, 19, 237, 186, 131, 98, 52, 186, 143, 127, 43, 226, 233, 126, 15, 225, 171, 85, 55, 173, 123, 21, 147, 97, 21, 237, 11, 254, 129, 2, 131, 101, 63, 149, 61]
  const plaintext = ciphertext.map((x, i) => ((i * i) % 256) ^ x ^ 0x99)

  const flagElement = document.querySelector('#flag')
  plaintext.map((x, i) => {
    const span = document.createElement('span')
    span.classList.add(`flag-char-${i}`)
    span.textContent = String.fromCharCode(x)
    flagElement.appendChild(span)
    return span
  })

  const flagOverlay = document.querySelector('#flag-overlay')
  flagOverlay.addEventListener('mouseover', async () => {
    await swal(flagAlert)
  })
}

plantFlag()

Initially, I tried to compute the plaintext flag just from the JavaScript itself but I could only get shwl_l1_twcd14}1ry4ht3neck_t3_bs{1c_hkh_tsh3he03gy_3l_hu as the flag. Something else was missing. Hence, I also downloaded the main.css from the page itself and added it to the local copy. I also removed any unnecessary html code to make the page as simple as possible.

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width" />
    <link rel="shortcut icon" href="/favicon.svg">
    <title>The Daily Kyle</title>
    <link rel="stylesheet" href="main.css" media="all">
    <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
  </head>
  <body>
    <section class="section">
      <div class="container">
        <h1 class="title">
          An article that contains the flag
        </h1>
        <p class="subtitle">
        Too bad you can't read it
        </p>

        <p><b>Congrats</b> on making it this far! Here's the flag:</p>
        <br>
        <pre id="flag-container">
          <code id="flag"></code>
        </pre>
        <br>
      </div>
    </section>
    <script src="main.js" charset="utf-8"></script>
  </body>
</html>

Note that it is important to remove the flag-overlay element otherwise the flag will be covered by the overlay. So, launching the cloned webpage locally now:

Flag: buckeye{h0ly_sh1t_wh4t_th3_h3ck_1s_th1s_w31rd_ch4ll3ng3}

Last updated 3 years ago

Description

Solution

When we first visit the website, we are presented with a pop-up which is similar to your typical annoying advert.

After clicking No thanks to clear the pop-up, we try to scroll down the page but scrolling has been disabled.

The first step is of course to open the browser's developer tools to find out what is going on but developer tools was blocked too.

Upon launching developer tools, the page will automatically redirect to a YouTube Rick-Roll video.

We can however, view the page source and a particular line stood out.

It appears that the flag is dynamically written by the page's JavaScript and we can access it through the URL.

function plantFlag () {
  const ciphertext = [234, 240, 234, 252, 214, 236, 140, 247, 173, 191, 158, 132, 56, 4, 32, 73, 235, 193, 233, 152, 125, 19, 19, 237, 186, 131, 98, 52, 186, 143, 127, 43, 226, 233, 126, 15, 225, 171, 85, 55, 173, 123, 21, 147, 97, 21, 237, 11, 254, 129, 2, 131, 101, 63, 149, 61]
  const plaintext = ciphertext.map((x, i) => ((i * i) % 256) ^ x ^ 0x99)

  const flagElement = document.querySelector('#flag')
  plaintext.map((x, i) => {
    const span = document.createElement('span')
    span.classList.add(`flag-char-${i}`)
    span.textContent = String.fromCharCode(x)
    flagElement.appendChild(span)
    return span
  })

  const flagOverlay = document.querySelector('#flag-overlay')
  flagOverlay.addEventListener('mouseover', async () => {
    await swal(flagAlert)
  })
}

plantFlag()

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width" />
    <link rel="shortcut icon" href="/favicon.svg">
    <title>The Daily Kyle</title>
    <link rel="stylesheet" href="main.css" media="all">
    <script src="https://unpkg.com/sweetalert/dist/sweetalert.min.js"></script>
  </head>
  <body>
    <section class="section">
      <div class="container">
        <h1 class="title">
          An article that contains the flag
        </h1>
        <p class="subtitle">
        Too bad you can't read it
        </p>

        <p><b>Congrats</b> on making it this far! Here's the flag:</p>
        <br>
        <pre id="flag-container">
          <code id="flag"></code>
        </pre>
        <br>
      </div>
    </section>
    <script src="main.js" charset="utf-8"></script>
  </body>
</html>

Note that it is important to remove the flag-overlay element otherwise the flag will be covered by the overlay. So, launching the cloned webpage locally now:

Flag: buckeye{h0ly_sh1t_wh4t_th3_h3ck_1s_th1s_w31rd_ch4ll3ng3}