Blog

0ops Website Flag

Aug 7, 2019 | 3 minutes read
Share this:

Tags: ctf, writeup

When searching for new CTFs I come upon a small challenge hosted by the 0ops team from Shanghai Jiao Tong University. In this writeup I show all the steps I took to solve it.

The Challenge

The challenge is hosted in the team’s website where I was immediately dropped into a nice looking emulated linux shell. By typing help on the command prompt I was then gracefully saluted by a dead cow — a funny joke with the 0xdeadbeef number :-) The cow told me that there were more commands to be found besides the standard cd, ls and cat that one expects to find in any Linux box.

0xdeadbeef

Cracking the Code

By playing around with the different commands I found some files (welcome message, contact info, etc.), folders (actually links to other other sites) and even a hidden .flag file which teased me to try other commands like cheat, hint and whoami. Surprisingly the rm command is also implemented and allows one to delete the files shown by ls.

OK, have gotten a feeling for the shell I quickly searched to the page source code to see which secrets it hid. The main page indeed contained an iframe for the shell widget which by its turn loaded a cli.html file. Its contents were quite simple and the only thing that caught my attention was the suspiciously looking 0ops_cli_all.js file being loaded:

<div id="content">
        <script type="text/javascript" src="0ops_cli_all.js"></script> 
</div>

Most likely, I said to myself, this JavaScript code implements the additional commands that our cute dead cow told me about. I downloaded the file using wget and uploaded it to https://beautifier.io to make it more readable. It turned out to be about 1000 lines long and, as I quickly scanned it for clues, I noticed a jQuery $(document).ready() function (more about it here) calling some obfuscated code:

if (konamiCount == 3) {
        a($("#screen"))
} else {
        window["\x65\x76\x61\x6c"](Terminal["\x72\x75\x6e\x43\x6f\x6d\x6d\x61\x6e\x64"](unescape("%63%75\x72%6c%20%66%6c\x61%67%5f\u0069%73%5f%6e\x6f%74\u005f\u0068%65%72%65")))
}

I didn’t know what the konamiCount did but the hex bytes and escaped string were probably trying to hide some important function calls. I then fired Chrome’s JavaScript console to see what was being hidden from my prying eyes:

Obfuscated JavaScript

Browsing the source code it became clear to me that the runCommand function executed shell commands coming as input from the user. So this obfuscated JavaScript was actually calling the curl command with parameter flag_is_not_here whenever the konamiCount was not equal to 3. Unfortunately I had no clue about how to control the counter. On the other hand I could just run the command by myself and see what it does:

Curl Command

Bingo! I got what looks like a base64 payload. Using the Python console it was easy to test this hypothesis:

>>> import base64
>>> payload = 'emxpYi5kZWNvbXByZXNzKCd4nLPTpgrQsyFdi50uBtDDpg63ndiMwAVwGoPFYEzNNrp6dpjOwVQIVU6WC3CZBtcPAIrcScYnKQ=='
>>> base64.b64decode(payload)
b"zlib.decompress('x\x9c\xb3\xd3\xa6\n\xd0\xb3!]\x8b\x9d.\x06\xd0\xc3\xa6\x0e\xb7\x9d\xd8\x8c\xc0\x05p\x1a\x83\xc5`L\xcd6\xbazv\x98\xce\xc1T\x08UN\x96\x0bp\x99\x06\xd7\x0f\x00\x8a\xdcI\xc6')"
>>> import zlib
>>> zlib.decompress(b'x\x9c\xb3\xd3\xa6\n\xd0\xb3!]\x8b\x9d.\x06\xd0\xc3\xa6\x0e\xb7\x9d\xd8\x8c\xc0\x05p\x1a\x83\xc5`L\xcd6\xbazv\x98\xce\xc1T\x08UN\x96\x0bp\x99\x06\xd7\x0f\x00\x8a\xdcI\xc6')
b'>++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.<+++++++++++++++++++++++++++++++++++++++++++++++++.>------------------.+++++++++++++++++++.++++++++++++++++++++++++.<.>------------------------------------------.++++++++++++++++++++++++++++++++++++++++++.-----------------.<-.>++++++.+++++++++++.-----------------------.---------------------.+++++++++++++++++++++++++++++++.-------------------------------.'

F**k! So after all of this digging I got just a pretty long stream of strange characters… Well, in case you didn’t realize it yet this stream of characters is actually Brainfuck code :-) Using the excellent https://copy.sh/brainfuck interpreter I pretty soon got the hidden flag: F14G_15_N0T_H3R3

“Well done!” I patted myself on the back. Thanks to the 0ops team for the funny and rewarding challenge. Now looking forward for more of their creations.

comments powered by Disqus