BKU CTF - HackMD

# JUMP > jump over 10,000 meters to see my secret ![image](https://hackmd.io/_uploads/HJbbvzwkWe.png) I seen source code and find logic active : ``` checkForBonus() { const _0x4f2a = [atob('Ym9udXNVbmxvY2tlZA=='), atob('Y2FjaGVkSGlnaFNjb3Jl'), atob('dmFsaWRhdGVIaWdoU2NvcmU=')]; ( () => { const t = performance.now(); if (t % 1e3 < 100) return; } )(); const _0x1a2b = this , _0x3c4d = 0x2710; if (_0x1a2b[_0x4f2a[0]]) return; if (!(_0x1a2b[_0x4f2a[1]] > _0x3c4d)) return; _0x1a2b[_0x4f2a[0]] = !0; const _0x7890 = (Math.random() * 0x7d0 + 0x1f4) | 0 , _0x9abc = GameUtils[atob('Z2VuZXJhdGVJZA==')]() , _0xdef0 = GameUtils[atob('Y3JlYXRlU3Vt')](_0x9abc); const _0xfunc = new Function('_s','_d',` const _g=_s.${atob('REFUQV9DSFVOS18x')}+_s.${atob('REFUQV9DSFVOS18y')}; const _u=GameUtils.${atob('dW5wYWNrQ29udGVudA==')}(_g); _u&&_d[_s._v]()&&PopupManager.${atob('c2hvd0NvbnRlbnQ=')}(_u); `); _0x4f2a._v = _0x4f2a[2]; setTimeout( () => _0xfunc(Score, _0x1a2b), _0x7890); } ``` Although code is obsfucated by base64 so i know logic , when score >=10.000 point ,it active `unpackContent` function then popup flag , mission is know logic active `unpackContent` .This here : ``` static unpackContent(processedData) { try { if (!this.verifyEnvironment()) return null; let unpacked = this.reverseText(processedData); unpacked = this.fromHexFormat(unpacked); unpacked = this.applyMask(unpacked, 'sl1m3'); return this.textShift(unpacked); } catch (e) { return null; } } ``` It is decode many layer, i seen actice subfunction to decode : ``` static textShift(str) { return str.replace(/[a-zA-Z]/g, function(c) { return String.fromCharCode((c <= 'Z' ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26); }); } static toHexFormat(str) { return Array.from(str).map(c => c.charCodeAt(0).toString(16).padStart(2, '0')).join(''); } static fromHexFormat(hex) { return hex.match(/.{1,2}/g).map(byte => String.fromCharCode(parseInt(byte, 16))).join(''); } static applyMask(str, key) { let result = ''; for (let i = 0; i < str.length; i++) { result += String.fromCharCode(str.charCodeAt(i) ^ key.charCodeAt(i % key.length)); } return result; } ``` I write script python to decode and find flag : ``` def text_shift(s: str) -> str: """ROT13 shift""" result = [] for c in s: if 'A' <= c <= 'Z': result.append(chr((ord(c) - ord('A') + 13) % 26 + ord('A'))) elif 'a' <= c <= 'z': result.append(chr((ord(c) - ord('a') + 13) % 26 + ord('a'))) else: result.append(c) return "".join(result) def apply_mask(data: bytes, key: str) -> bytes: """XOR mask with repeating key""" result = [] for i, b in enumerate(data): result.append(b ^ ord(key[i % len(key)])) return bytes(result) def to_hex_format(data: bytes) -> str: """Convert bytes to hex string""" return data.hex() def from_hex_format(hex_str: str) -> bytes: """Convert hex string back to bytes""" return bytes.fromhex(hex_str) def reverse_text(s: str) -> str: """Reverse a string""" return s[::-1] def unpack_content(processed_data: str, key: str = "sl1m3") -> str: try: # Step 1: reverse unpacked = reverse_text(processed_data) # Step 2: from hex unpacked = from_hex_format(unpacked) # Step 3: XOR mask unpacked = apply_mask(unpacked, key) # Step 4: ROT13 return text_shift(unpacked.decode(errors="ignore")) except Exception: return None org = "110045d1e6c1512051e533344523206134344120608036b27643c3" decode = unpack_content(org) print("FLAG",decode) ``` > FLAG : BKISC{w3lc0m3_t0_bk1sc_ctf} # YSSEUG Problem : So you think you can guess? Source : chall.zip Firsly,i unzip chall.zip to `step_1.zip`(maybe problem more part zip), i continue unzip to `step_2.zip` and 1 `zip.password`,i try unzip by this password but not success. I try open file zip.password with VSCode, I see many invisible character U+200E(reason why password is error),I just simple cut invisible text and try once. Cool! It success !! I unzip and has steg_3.zip and zip.password,I open it in vs code and see strange character : ![image](https://hackmd.io/_uploads/HJrqgLvJWe.png) It seem resemble whitespace character , i have more time search many tool and try decode but success,when i search one tool in github : https://github.com/Shell-Company/poltergeist I use it and find success password : `white_space_encoding_is_not_that_guessy_right_or_is_it?_09178093762985078932p587892305873298057129851987513987" ` Then unzip i see file `decrypt.py` , may be hidden flag , source code here : ``` from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.primitives import padding from cryptography.hazmat.backends import default_backend import base64 key = b"bkisctfisthebest" iv = b"theremustbesmthg" with open("encrypt.bin", "rb") as f: ciphertext = base64.urlsafe_b64decode(f.read()) cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=default_backend()) decryptor = cipher.decryptor() padded_plaintext = decryptor.update(ciphertext) + decryptor.finalize() unpadder = padding.PKCS7(128).unpadder() plaintext = unpadder.update(padded_plaintext) + unpadder.finalize() print(plaintext) ``` But it is interesting that where location `encrypt.bin`, I write command `dir /r` in cmd and obtain good result : ![image](https://hackmd.io/_uploads/r1KgfIwJZe.png) One data secrec is hidden in file python,i can read it by command `notepad decrypt.py:secret` , result : Final mission just simple is replace encrypt.bin with it and find flag : > FLAG : BKISC{h0w_d1d_y0u_gue55_1t?}