banner
肥皂的小屋

肥皂的小屋

github
steam
bilibili
douban
tg_channel

tinyctf-2014-NaNNaNNaNNaN-Batman-writeup

title: "tinyctf-2014-NaNNaNNaNNaN-Batman-writeup"
categories: [ "CTF" ]
tags: [ "CTF","CTF writeup" ]
draft: false
slug: "11"
date: "2019-01-06 22:37:00"


  • Why write a writeup for a 2014 question: because I was doing a certain CTF training platform question

First, the question provided an attachment called web100.zip, which, when extracted, was a web100 file.

When opened with Notepad, it looked like this:

image

Most of it is understandable, but there are some boxes. I noticed the words "script" and "function", so I guessed it was PHP code and dragged it into the browser to take a look:

image

There was an input box, and at the end, there was an eval function being executed:

image

Let's change it to display an alert and drag it in again:

image

Oh, the garbled text is gone, and we obtained the PHP source code:

function $(){var e=document.getElementById("c").value;if(e.length==16)if(e.match(/^be0f23/)!=null)if(e.match(/233ac/)!=null)if(e.match(/e98aa$/)!=null)if(e.match(/c7be9/)!=null){var t=["fl","s_a","i","e}"];var n=["a","_h0l","n"];var r=["g{","e","_0"];var i=["it'","_","n"];var s=[t,n,r,i];for(var o=0;o<13;++o){document.write(s[o%4][0]);s[o%4].splice(0,1)}}}document.write('<input id="c"><button onclick=$()>Ok</button>');delete _

Let's format the code using a tool:

image

function $(){
	var e=document.getElementById("c").value;
	if(e.length==16)if(e.match(/^be0f23/)!=null)if(e.match(/233ac/)!=null)if(e.match(/e98aa$/)!=null)if(e.match(/c7be9/)!=null){
		var t=["fl","s_a","i","e}"];
		var n=["a","_h0l","n"];
		var r=["g{","e","_0"];
		var i=["it'","_","n"];
		var s=[t,n,r,i];
		for (var o=0;o<13;++o){
			document.write(s[o%4][0]);
			s[o%4].splice(0,1)
		}
	}
}
document.write('<input id="c"><button onclick=$()>Ok</button>');
delete _

The code is quite simple. It uses a regular expression to check if the input string starts with be0f23, ends with e98aa, and contains the strings 233ac and c7be9. If these conditions are met, the function below will be executed. So, we construct the string be0f233ac7be98aa and enter it into the input box:

image

image

We obtained the flag: flag{it's_a_h0le_in_0ne}

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.