EasyCTF_2018: NoSource, Jr.

Category: Web Points: 80 Description:

I don't like it when people try to view source on my page. Especially when I put all this effort to put my flag verbatim into the source code, but then people just look at the source to find the flag! How annoying. This time, when I write my wonderful website, I'll have to hide my beautiful flag to prevent you CTFers from stealing it, dagnabbit. We'll see what you're able to find...

Write-up

We are given a link to the site with 3 key ingredients. Firstly, the key,

window.encryptionKey = 'nosource';

Then, the flag,

var flag = 'Fg4GCRoHCQ4TFh0IBxENAE4qEgwHMBsfDiwJRQImHV8GQAwBDEYvV11BCA==';

Lastly, the function,

function process(a, b) {
    'use strict';
    var len = Math.max(a.length, b.length);
    var out = [];
    for (var i = 0, ca, cb; i < len; i++) {
      ca = a.charCodeAt(i % a.length);
      cb = b.charCodeAt(i % b.length);
      out.push(ca ^ cb);
    }
    return String.fromCharCode.apply(null, out);
}

However, the key is not the key! Let's get the key in Python instead,

flag = base64.b64decode("Fg4GCRoHCQ4TFh0IBxENAE4qEgwHMBsfDiwJRQImHV8GQAwBDEYvV11BCA==")
plaintext = "easyctf"
for a, b in zip(flag, plaintext):
    print(chr(a ^ ord(b)))

We get this weird output,

s
o
u
p
y
s

Could it be soupy? Let's try it in our JS console again,

> process(atob(flag), encryptionKey)
"easyctf{congrats!_but_now_f0r_n0s0urc3_...}"

Therefore, the flag is easyctf{congrats!_but_now_f0r_n0s0urc3_...}.