들어가보면 아래와 같이 자바스크립트 내에 암호화된 함수가 존재한다.
source
<!DOCTYPE html>
<html>
<head>
<title>Auth3ntication</title>
<script type="text/javascript" src="http://code.jquery.com/jquery-1.11.1.js"></script>
</head>
<body>
<h4>Auth3ntication
</h4>
<hr />
<form action="#" method="post">
<label>Username</label>
<input class="form-control" type="text" name="username" id="cuser" placeholder="Username" />
<label>Password</label>
<input type="password" class="form-control" name="password" id="cpass" placeholder="Password" />
<input type="submit" style="margin-top: 12px;" value="Login" class="form-control btn btn-success c_submit" />
</form>
<script type="text/javascript">
$(".c_submit").click(function(event) {
event.preventDefault();
var u = $("#cpass").val();
var k = $("#cuser").val();
var func = "\x0d\x13\x45\x17\x48\x09\x5e\x4b\x17\x3c\x1a\x1f\x2b\x1b\x7a\x0c\x1f\x66\x0b\x1a\x3e\x51\x0b\x41\x11\x58\x17\x4d\x55\x16\x42\x01\x52\x4b\x0f\x5a\x07\x00\x00\x07\x06\x40\x4d\x07\x5a\x07\x14\x19\x0b\x07\x5a\x4d\x03\x47\x01\x13\x43\x0b\x06\x50\x06\x13\x7a\x02\x5d\x4f\x5d\x18\x09\x41\x42\x15\x59\x48\x4d\x4f\x59\x1d\x43\x10\x15\x00\x1a\x0e\x17\x05\x51\x0d\x1f\x1b\x08\x1a\x0e\x03\x1c\x5d\x0c\x05\x15\x59\x55\x09\x0d\x0b\x41\x0e\x0e\x5b\x10\x5b\x01\x0d\x0b\x55\x17\x02\x5a\x0a\x5b\x05\x10\x0d\x52\x43\x40\x15\x46\x4a\x1d\x5f\x4a\x14\x48\x4b\x40\x5f\x55\x10\x42\x15\x14\x06\x07\x46\x01\x55\x16\x42\x48\x10\x4b\x49\x16\x07\x07\x08\x11\x18\x5b\x0d\x18\x50\x46\x5c\x43\x0a\x1c\x59\x0f\x43\x17\x58\x11\x04\x14\x48\x57\x0f\x0a\x46\x17\x48\x4a\x07\x1a\x46\x0c\x19\x12\x5a\x22\x1f\x0d\x06\x53\x43\x1b\x54\x17\x06\x1a\x0d\x1a\x50\x43\x18\x5a\x16\x07\x14\x4c\x4a\x1d\x1e";
buf = "";
if(k.length == 9) {
for(i = 0, j = 0; i < func.length; i++) {
c = parseInt(func.charCodeAt(i));
c = c ^ k.charCodeAt(j);
if(++j == k.length) {
j = 0;
}
buf += eval('"' + a(x(c)) + '"');
}
eval(buf);
} else {
$("#cresponse").html("<div class='alert alert-danger'>Invalid creds...</div>");
}
});
function a(h) {
if(h.length != 2) {
h = "\x30" + h;
}
return "\x5c\x78" + h;
}
function x(d) {
if(d < 0) {
d = 0xFFFFFFFF + d + 1;
}
return d.toString(16).toUpperCase();
}
</script>
</div>
<div id="cresponse">
</div>
<hr />
</body>
</html>
코드를 보면 9자리의 username을 입력받아서 암호화된 함수와 xor를 한 뒤 이 값을 eval을 통해 실행한다.
brute forcing을 해야되는데 최대한 경우의 수를 줄이기위해서 username은 소문자 알파벳,숫자로만 한정지었고 xor를 통해 복호화된 값이 자바스크립트 코드이기 때문에 최대한 사용되지 않을수 있는 문자들이 포함된 경우는 제외해서 username list를 구하도록 했다.
a = "\x0d\x13\x45\x17\x48\x09\x5e\x4b\x17\x3c\x1a\x1f\x2b\x1b\x7a\x0c\x1f\x66\x0b\x1a\x3e\x51\x0b\x41\x11\x58\x17\x4d\x55\x16\x42\x01\x52\x4b\x0f\x5a\x07\x00\x00\x07\x06\x40\x4d\x07\x5a\x07\x14\x19\x0b\x07\x5a\x4d\x03\x47\x01\x13\x43\x0b\x06\x50\x06\x13\x7a\x02\x5d\x4f\x5d\x18\x09\x41\x42\x15\x59\x48\x4d\x4f\x59\x1d\x43\x10\x15\x00\x1a\x0e\x17\x05\x51\x0d\x1f\x1b\x08\x1a\x0e\x03\x1c\x5d\x0c\x05\x15\x59\x55\x09\x0d\x0b\x41\x0e\x0e\x5b\x10\x5b\x01\x0d\x0b\x55\x17\x02\x5a\x0a\x5b\x05\x10\x0d\x52\x43\x40\x15\x46\x4a\x1d\x5f\x4a\x14\x48\x4b\x40\x5f\x55\x10\x42\x15\x14\x06\x07\x46\x01\x55\x16\x42\x48\x10\x4b\x49\x16\x07\x07\x08\x11\x18\x5b\x0d\x18\x50\x46\x5c\x43\x0a\x1c\x59\x0f\x43\x17\x58\x11\x04\x14\x48\x57\x0f\x0a\x46\x17\x48\x4a\x07\x1a\x46\x0c\x19\x12\x5a\x22\x1f\x0d\x06\x53\x43\x1b\x54\x17\x06\x1a\x0d\x1a\x50\x43\x18\x5a\x16\x07\x14\x4c\x4a\x1d\x1e"
for w in range(1,10):
string_list = "list_"+str(w)+" = ["
for j in range(48,123):
if j>58 and j<97:
continue
result = ""
for k in range(0,len(a)):
if k%9 == w-1:
result += chr(ord(a[k])^j)
status = 1
for i in range(0,len(result)):
if (ord(result[i])<32 and ord(result[i])!=9 and ord(result[i])!=0xa and ord(result[i])!=0xd) or ord(result[i])>126 or result[i]=="@" or result[i]=="`" or result[i]=="[" or result[i]=="]" or result[i]=="|" or result[i]=="&" or result[i]=="*" or result[i]=="%":
#if ord(result[i]) < 33 or ord(result[i]) > 126:
status = 0
break
if status == 1:
string_list += str(j)+","
string_list += "]"
print string_list.replace(",]","]")
result
list_1 = [100,101,102,110]
list_2 = [97,99,100,105,106,114,117]
list_3 = [52,109,115]
list_4 = [97,98,115]
list_5 = [56,104,112,118]
list_6 = [52]
list_7 = [48,51,53,54,57,58,99,106,117,118]
list_8 = [48,107,116,119]
list_9 = [53,54]
위 코드를 통해 구한 list를 통해 brute forcing을 진행해주면 되는데 이 때 결과 값에 존재할 만한 문자열들 (var , func, flag, #cresponse 등)와 같은 문자열들이 포함된 경우 출력해주도록 이것저것 해보니 정상적으로 복호화된 코드가 나왔다.
decrypt_func.py
a = "\x0d\x13\x45\x17\x48\x09\x5e\x4b\x17\x3c\x1a\x1f\x2b\x1b\x7a\x0c\x1f\x66\x0b\x1a\x3e\x51\x0b\x41\x11\x58\x17\x4d\x55\x16\x42\x01\x52\x4b\x0f\x5a\x07\x00\x00\x07\x06\x40\x4d\x07\x5a\x07\x14\x19\x0b\x07\x5a\x4d\x03\x47\x01\x13\x43\x0b\x06\x50\x06\x13\x7a\x02\x5d\x4f\x5d\x18\x09\x41\x42\x15\x59\x48\x4d\x4f\x59\x1d\x43\x10\x15\x00\x1a\x0e\x17\x05\x51\x0d\x1f\x1b\x08\x1a\x0e\x03\x1c\x5d\x0c\x05\x15\x59\x55\x09\x0d\x0b\x41\x0e\x0e\x5b\x10\x5b\x01\x0d\x0b\x55\x17\x02\x5a\x0a\x5b\x05\x10\x0d\x52\x43\x40\x15\x46\x4a\x1d\x5f\x4a\x14\x48\x4b\x40\x5f\x55\x10\x42\x15\x14\x06\x07\x46\x01\x55\x16\x42\x48\x10\x4b\x49\x16\x07\x07\x08\x11\x18\x5b\x0d\x18\x50\x46\x5c\x43\x0a\x1c\x59\x0f\x43\x17\x58\x11\x04\x14\x48\x57\x0f\x0a\x46\x17\x48\x4a\x07\x1a\x46\x0c\x19\x12\x5a\x22\x1f\x0d\x06\x53\x43\x1b\x54\x17\x06\x1a\x0d\x1a\x50\x43\x18\x5a\x16\x07\x14\x4c\x4a\x1d\x1e"
list_1 = [100,101,102,110]
list_2 = [97,99,100,105,106,114,117]
list_3 = [52,109,115]
list_4 = [97,98,115]
list_5 = [56,104,112,118]
list_6 = [52]
list_7 = [48,51,53,54,57,58,99,106,117,118]
list_8 = [48,107,116,119]
list_9 = [53,54]
result = ""
for i in range(0,len(list_1)):
for o in range(0, len(list_2)):
for p in range(0, len(list_3)):
for u in range(0, len(list_4)):
for q in range(0,len(list_5)):
for w in range(0, len(list_6)):
for x in range(0, len(list_7)):
for c in range(0, len(list_8)):
for n in range(0, len(list_9)):
result = ""
for j in range(0,len(a)):
if j%9==0:
result += chr(ord(a[j])^list_1[i])
elif j%9==1:
result += chr(ord(a[j]) ^ list_2[o])
elif j % 9 == 2:
result += chr(ord(a[j]) ^ list_3[p])
elif j % 9 == 3:
result += chr(ord(a[j]) ^ list_4[u])
elif j % 9 == 4:
result += chr(ord(a[j]) ^ list_5[q])
elif j % 9 == 5:
result += chr(ord(a[j]) ^ list_6[w])
elif j % 9 == 6:
result += chr(ord(a[j]) ^ list_7[x])
elif j % 9 == 7:
result += chr(ord(a[j]) ^ list_8[c])
elif j % 9 == 8:
result += chr(ord(a[j]) ^ list_9[n])
else:
result += "?"
if "#cresponse" in result.lower():
print "Find Username = " + chr(list_1[i])+chr(list_2[o])+chr(list_3[p])+chr(list_4[u])+chr(list_5[q])+chr(list_6[w])+chr(list_7[x])+chr(list_8[c])+chr(list_9[n])
print result
Result
Find Username = dumbh4ck5 if(u == "XorIsNotSooS3cur3") { if(document.location.href.indexOf("?p=") == -1) { document.location = document.location.href + "?p=" + u; } } else { $("#cresponse").html("<div class='error'>Wrong password sorry.")}
password로 XorIsNotSooS3cur3를 넣어주니 플래그가 나왔다.
'CTF > Writeup' 카테고리의 다른 글
BSides Delhi CTF 2018 st4t1c (0) | 2018.10.29 |
---|---|
BSides Delhi CTF 2018 avap (0) | 2018.10.29 |
BSides Delhi CTF 2018 Old School SQL (0) | 2018.10.29 |
Hack.lu CTF 2018 BabyReverse (0) | 2018.10.25 |
InCTF 2018 TorPy (0) | 2018.10.08 |