VolgaCTF 2022 Qualifier

Writeup for the VolgaCTF 2022 Qualifier

Updated:

Web

2FA

198 points 67 solves

We’ve got credentials admin:admins, but due to the 2FA can’t advance any further.
No need to brute force credentials and 2FA phrase.
http://2fa.q.2022.volgactf.ru/login

When logged in with the provided credentials admin:admins, it is required to input a phrase to complete the 2FA and login.

The page source reviewed the register page at /register.

<form method="POST">
  <div class="form-group">
    <label for="username">Username</label>
    <input type="text" class="form-control" id="username" name="username" required>
  </div>
  <div class="form-group">
    <label for="password">Password</label>
    <input type="password" class="form-control" id="password" name="password" required>
  </div>
  <div class="text-center">
    <button type="submit" class="btn btn-primary">Authenticate User</button>
  </div>
</form>
<!-- <a href="/register">register account</a> -->

During the registration of a new account, two choices were given for the 2FA mechanism, TOTP that uses Google Authenticator and Secret phrase that sets a user input phrase.

For the choice Secret phrase, it is linked to the page at /login/set_phrase with an input box and submit button.

Back at the session logged in with the provided credentials admin:admins, the page /login/set_phrase was accessed to set the phrase as admin.

volgactf-2022-2fa-1.jpg

After setting the phrase, it redirects it back to the 2FA authentication page. The phrase admin was used to authenticate the admin account.

volgactf-2022-2fa-2.jpg

The authentication succeeded and the flag was shown on the page.

volgactf-2022-2fa-3.jpg

Flag: VolgaCTF{2F4_N07_41W4Y5_53CUr3_3855}


Misc

Find the flag

100 points 139 solves

There’s a flag somewhere, can you find it?
http://flag-title.q.2022.volgactf.ru:3000/

The title of the webpage changes every second to display a single character of some kind of quote or paragraph, with flag-title.1.2022.volgactf.ru being the white space. The flag was also included in the rotation in between a phrase.

volgactf-2022-flag.gif

Instead of waiting for the title to rotate and jot down each character, the page source was examined and revealed the file index-f6df80d9480f611f.js.

<head>
  <meta name="viewport" content="width=device-width"/>
  <meta charSet="utf-8"/>
  <title>â</title><meta name="next-head-count" content="3"/>
  <link rel="preload" href="/_next/static/css/27d177a30947857b.css" as="style"/>
  <link rel="stylesheet" href="/_next/static/css/27d177a30947857b.css" data-n-g=""/>
  <noscript data-n-css=""></noscript>
  <script defer="" nomodule="" src="/_next/static/chunks/polyfills-5cd94c89d3acac5f.js"></script>
  <script src="/_next/static/chunks/webpack-cb7634a8b6194820.js" defer=""></script>
  <script src="/_next/static/chunks/framework-0e90cbf53d3785fb.js" defer=""></script>
  <script src="/_next/static/chunks/main-a054bbf31fb90f6a.js" defer=""></script>
  <script src="/_next/static/chunks/pages/_app-ca6aae25bc99a05f.js" defer=""></script>
  <script src="/_next/static/chunks/pages/index-f6df80d9480f611f.js" defer=""></script>
  <script src="/_next/static/YesiqEVJlIH4Pyo5ulDu-/_buildManifest.js" defer=""></script>
  <script src="/_next/static/YesiqEVJlIH4Pyo5ulDu-/_ssgManifest.js" defer=""></script>
  <script src="/_next/static/YesiqEVJlIH4Pyo5ulDu-/_middlewareManifest.js" defer=""></script>
</head>

The file revealed 14 encoded strings as variables to be decoded by the code.

var e = ((0, o.decode) ('4oCcV2lubmluZyBpZ25pdGVzIGEgc2VsZi1jb25zY2lvdXMgYXdhcmVuZXNzIHRoYXQgb3RoZXJzIGFyZSA=') + (0, o.decode) ('d2F0Y2hpbmcuIEl04oCZcyBhIGxvdCBlYXNpZXIgdG8gbW92ZSB1bmRlciB0aGUgcmFkYXIgd2hlbiBubyBvbmU=') + (0, o.decode) ('d2F0Y2hpbmcuIEl04oCZcyBhIGxvdCBlYXNpZXIgdG8gbW92ZSB1bmRlciB0aGUgcmFkYXIgd2hlbiBubyBvbmU=') + (0, o.decode) ('YmUgcm91Z2ggYW5kIGdldCBkaXJ0eSBiZWNhdXNlIG5vIG9uZSBldmVuIGtub3dzIHlvdeKAmXJlIHRoZXJlLiA=') + (0, o.decode) ('QnV0IGFzIHNvb24gYXMgeW91IHN0YXJ0IHRvIHdpbiwgYW5kIG90aGVycyBzdGFydCB0byBub3RpY2UsIHlvdeKAmXJl') + (0, o.decode) ('c3VkZGVubHkgYXdhcmUgdGhhdCB5b3XigJlyZSBiZWluZyBvYnNlcnZlZC4gWW914oCZcmUgYmVpbmcganVkZ2VkLiA=') + (0, o.decode) ('WW91IHdvcnJ5IHRoYXQgb3RoZXJzIHdpbGwgZGlzY292ZXIgeW91ciBmbGF3cyBhbmQgd2Vha25lc3Nlcyw=') + (0, o.decode) ('YW5kIHlvdSBzdGFydCBoaWRpbmcgeW91ciB0cnVlIHBlcnNvbmFsaXR5LCBzbyB5b3UgY2FuIGJlIGEgZ29vZCA=') + (0, o.decode) ('cm9sZSBtb2RlbCBhbmQgZ29vZCBjaXRpemVuIGFuZCBWb2xnYUNURntEWU40TTFDXzcxN0wz') + (0, o.decode) ('X1IzNEM3XzQ4MzF9IGEgbGVhZGVyIHRoYXQgb3RoZXJzIGNhbiByZXNwZWN0LiBUaGVyZSBpcyBub3RoaW5n') + (0, o.decode) ('d3Jvbmcgd2l0aCB0aGF0LiBCdXQgaWYgeW91IGRvIGl0IGF0IHRoZSBleHBlbnNlIG9mIGJlaW5nIHdobyB5b3Ug') + (0, o.decode) ('cmVhbGx5IGFyZSwgbWFraW5nIGRlY2lzaW9ucyB0aGF0IHBsZWFzZSBvdGhlcnMgaW5zdGVhZCBvZiBwbGVhc2luZw==') + (0, o.decode) ('eW91cnNlbGYsIHlvdeKAmXJlIG5vdCBnb2luZyB0byBiZSBpbiB0aGF0IHBvc2l0aW9uIHZlcnkgbG9uZy7igJ0=') + (0, o.decode) ('4oCVwqBUaW0gUy4gR3JvdmVyLMKgV2lubmluZzogVGhlIFVuZm9yZ2l2aW5nIFJhY2UgdG8gR3JlYXRuZXNz')).split(''),

The strings were decoded as Base64 using CyberChef and the flag was found within a quote by Tim S. Grover from Winning: The Unforgiving Race to Greatness.

// encoded strings
4oCcV2lubmluZyBpZ25pdGVzIGEgc2VsZi1jb25zY2lvdXMgYXdhcmVuZXNzIHRoYXQgb3RoZXJzIGFyZSA=
d2F0Y2hpbmcuIEl04oCZcyBhIGxvdCBlYXNpZXIgdG8gbW92ZSB1bmRlciB0aGUgcmFkYXIgd2hlbiBubyBvbmU=
d2F0Y2hpbmcuIEl04oCZcyBhIGxvdCBlYXNpZXIgdG8gbW92ZSB1bmRlciB0aGUgcmFkYXIgd2hlbiBubyBvbmU=
YmUgcm91Z2ggYW5kIGdldCBkaXJ0eSBiZWNhdXNlIG5vIG9uZSBldmVuIGtub3dzIHlvdeKAmXJlIHRoZXJlLiA=
QnV0IGFzIHNvb24gYXMgeW91IHN0YXJ0IHRvIHdpbiwgYW5kIG90aGVycyBzdGFydCB0byBub3RpY2UsIHlvdeKAmXJl
c3VkZGVubHkgYXdhcmUgdGhhdCB5b3XigJlyZSBiZWluZyBvYnNlcnZlZC4gWW914oCZcmUgYmVpbmcganVkZ2VkLiA=
WW91IHdvcnJ5IHRoYXQgb3RoZXJzIHdpbGwgZGlzY292ZXIgeW91ciBmbGF3cyBhbmQgd2Vha25lc3Nlcyw=
YW5kIHlvdSBzdGFydCBoaWRpbmcgeW91ciB0cnVlIHBlcnNvbmFsaXR5LCBzbyB5b3UgY2FuIGJlIGEgZ29vZCA=
cm9sZSBtb2RlbCBhbmQgZ29vZCBjaXRpemVuIGFuZCBWb2xnYUNURntEWU40TTFDXzcxN0wz
X1IzNEM3XzQ4MzF9IGEgbGVhZGVyIHRoYXQgb3RoZXJzIGNhbiByZXNwZWN0LiBUaGVyZSBpcyBub3RoaW5n
d3Jvbmcgd2l0aCB0aGF0LiBCdXQgaWYgeW91IGRvIGl0IGF0IHRoZSBleHBlbnNlIG9mIGJlaW5nIHdobyB5b3Ug
cmVhbGx5IGFyZSwgbWFraW5nIGRlY2lzaW9ucyB0aGF0IHBsZWFzZSBvdGhlcnMgaW5zdGVhZCBvZiBwbGVhc2luZw==
eW91cnNlbGYsIHlvdeKAmXJlIG5vdCBnb2luZyB0byBiZSBpbiB0aGF0IHBvc2l0aW9uIHZlcnkgbG9uZy7igJ0=
4oCVwqBUaW0gUy4gR3JvdmVyLMKgV2lubmluZzogVGhlIFVuZm9yZ2l2aW5nIFJhY2UgdG8gR3JlYXRuZXNz

// decoded strings
“Winning ignites a self-conscious awareness that others are
watching. It’s a lot easier to move under the radar when no one
watching. It’s a lot easier to move under the radar when no one
be rough and get dirty because no one even knows you’re there.
But as soon as you start to win, and others start to notice, you’re
suddenly aware that you’re being observed. You’re being judged.
You worry that others will discover your flaws and weaknesses,
and you start hiding your true personality, so you can be a good
role model and good citizen and VolgaCTF{DYN4M1C_717L3
_R34C7_4831} a leader that others can respect. There is nothing
wrong with that. But if you do it at the expense of being who you
really are, making decisions that please others instead of pleasing
yourself, you’re not going to be in that position very long.”
― Tim S. Grover, Winning: The Unforgiving Race to Greatness

Flag: VolgaCTF{DYN4M1C_717L3_R34C7_4831}


Comments