Monday, 30 September 2013

Facebook CTF - ACCESS LEVEL 1 WriteUP

Facebook CTF 2013 - NcN 2013

There where only 3 access levels - web, android apk, and Linux executable. All where reverse engineering only.

Access Level - 1


Whatever input 'key' is given you get a alert saying 'Invalid password!'.

Tools -> browser with JavaScript console. I used Google Chrome :p

Analysing the source code we get -
<form action="login.php" method="POST" onsubmit="return encrypt(this);">

So onsubmit a "encrypt" function is called. So using the browser JavaScript console lets take a look at the script running behind.

 function encrypt(form)
 {
var res;
res=numerical_value(form.password.value);
res=res*(3+1+3+3+7);
res=res>>>6;
res=res/4;
res=res^4153;
if(res!=0)
{
alert('Invalid password!');
}
else
{
alert('Correct password :)');
}
form.key.value=numerical_value(form.password.value);
form.verification.value="yes"+simpleHash(form.password.value);
 return true;
 }

That's it. our work is simple - just to make the condition inside IF as FALSE. That can be achieved by making the var res = 0. So the reverse engineering work starts NOW.

Time to analyse the code and start reversing it.
- Before if we have XOR. so res should be equal to 4153 to make res=0
- res * 4 [ 4153*4 = 16612]
- >>> right shift so we have 16612 = X>>>6.
  16612 - 100000011100100
  we have no idea about the lost rightmost 6 bits. Taking it to 0's lets proceed.
  100000011100100+000000 -  1063168 But it can vary with +0 to +63.
- 1063168/(3+1+3+3+7) = 62539.2941176 ~ 62540.
-  now a weird function numerical_value

 function numerical_value(str)
 {
var i,a=0,b;
for(i=0;i<str.length;++i)
{
b=ascii_one(str.charAt(i));
a+=b*(i+1);
}
 return a;
 }

observe one more function ascii_one

function ascii_one(foo)
{
foo=foo.charAt(0);
var i;
for(i=0;i<256;++i)
{
var hex_i=i.toString(16);
if(hex_i.length==1)
hex_i="0"+hex_i;
hex_i="%"+hex_i;
hex_i=unescape(hex_i);
if(hex_i==foo)
break
}

But here no need to analyse. Just manual brute force of the var str; to get a appx value of 62540. I got 62545.
var str="zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea";

start with random number of a's then modify here and there with the logic of starting strings have less weight-age and ending char's have the most!

so for me this is the key - "zzaaaaaaaaaaaaaaaaaaaaaaddaaaaaspea". It will vary from person to person.

After submiting the key -

Congrats! you passed the level! Here is the key: 23f8d1cea8d60c5816700892284809a94bd00fe7347645b96a99559749c7b7b8

*** Note this was easy because without knowing much of JavaScript i could solve it.
-> And a rough screenshot of manual brute force. So you can get a rough idea -
Please download OR open the image for clear view :D :D

-> Any one solved it in a much simpler way please comment your way for solving problem.
-> Suggestions/Comments are most welcomed !!! :)


Thanks for reading through

Happy hacking! Happy coding!!

2 comments:

  1. I found the key with the other logic way, without ariphmetical counting:
    1st - length of the key are proportional length of Bit of the number 4153
    So we found a length of key - key filled by character "a"
    A sampler is: b1000000111001
    Result is: b1001010100101
    2nd - In numerical_value result of function ansii_one increase by i+1, so when a Bit meet later in the key string, then closer it will be to the first bit of the number. Lower than hexcode of "a" is a hexcode of numbers and symbols. So I have fill from left a string by the numbers while the second Bit will not placed under second bit of sampler.
    "55555555555555555555aaaaaaaaaaaaaaaaaa"
    b1000000111111.01

    With this simple brute, the result of my way is
    "*0033444445555555555aaaaaaaaaaaaaaaaaa"
    b1000000111001

    ReplyDelete
  2. better change the template, its looks fuss

    ReplyDelete

What's up 1337 ?

Give your Suggestion/ Feedback / Doubts /Open up a discussion.

-y0g1337h
"<script> </script>"