The first thing I did was explore the source page, and I found a script called main.js:
Js Source
As we can see, this is where the flag generation code resides, and it appears to be encrypted using an XOR with the character 0x62. As we know, XOR is reversible, so let’s jump straight into the exploitation.
🔬 Vulnerability Analysis
Potential Vulnerabilities
(KPA) Known Plaintext Attack
🎯 Solution Path
Exploitation Steps
Exploitation
The exploitation is quite straightforward: you simply apply the XOR operation (^0x62) again to the encrypted value to retrieve the original value. So, I wrote a couple of lines in JavaScript and executed them directly in the console, successfully obtaining the flag:
1
2
3
4
5
6
7
letenc=["\u000e","\u0003","\u0001","\u0016","\u0004","\u0019","\u0015","V","\u0011","=","\u000b","U","=","\u000e","\u0017","\u0001","\u0009","=","R","\u0010","=","\u0011","\u0009","\u000b","SS","\u001f"];// Step 1: XOR each character's charCode with 0x62
letdecoded=enc.map(char=>String.fromCharCode(char.charCodeAt(0)^0x62));// Step 2: Join the decoded characters
letflag=decoded.join('');console.log(flag);
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automated exploit performs the same action as the JavaScript code but in Python. It also handles the case where the character might be Unicode or not:
