What is it? @.@

Here is the place where I record some tactics about wargame, systems, and other security issues.

2012-11-15

Bright Shadows - JavaScript 4: "Hard but possible."

Description:


Only input a valid username and you will get to the solution page.
 ____________________    
|____________________| Check


Solution:
  1. View page source code and we could find the JavaScript code easily.
    <script src="JavaScript">
      function testEncode() {
        var dater = new Date();
        Day = dater.getDate();
        dater = null;
        Ret = encode(document.formular.user.value, Day);
        location = Ret+".php";
      }
      function encode (OrigString, CipherVal) {
        Ref="0123456789abcdefghijklmnopqrstuvwxyz._~ABCDEFGHIJKLMNOPQRSTUVWXYZ";
        CipherVal = parseInt(CipherVal);
        var Temp="";
        for (Count=0; Count < OrigString.length; Count++) {
          TempChar = OrigString.substring (Count, Count+1);
          Conv = cton(Ref, TempChar);
          Cipher=Conv^CipherVal;
          Cipher=ntoc(Ref, Cipher);
          Temp += Cipher;
        }
        return (Temp);
      }
      function cton (Ref, Char) {
        return (Ref.indexOf(Char));
      }
      function ntoc (Ref, Val) {
        return (Ref.substring(Val, Val+1));
      }
    </script>
    
  2. hmmmm... It seems like we need to decipher the program code.
  3. Wait.. if we check the code carefully, even we decipher the encryption algorithm, there's no trigger code for the final location value. It should existed a code like below.
    window.location.href="..."
  4. Go back and check the code, there's a hidden link within JavaScript in the below URL.
    [Link]:
    http://www.bright-shadows.net/challenges/levelj4/JavaScript

    [Content]
    function testEncode(form) 
    {
        input_user = document.formular.user.value;
        if (input_user == "thebestoneisthis") {
          window.location.href="thebestoneisthis.php";
        }
        else 
      {
          window.location.href=input_user +".php";
        }
    }
    
  5. Yes, this is what we're looking for!! Input the password and... Well done!

No comments:

Post a Comment