I spy with my little eye… A website!
i-spy.chall.lac.tf
๐ฏ Challenge Files & Infrastructure
Provided Files
1
Files:None
๐ Initial Analysis
First Steps
Initially, the website appears as follows:
Site Presentation
By entering the first token (B218B51749AB9E4C669E4B33122C8AE3) into the input box and clicking the Get next stage! button, a hint is displayed to us:
First Hint
From this point, I realized that the goal is to continue finding tokens on the page and submitting them to eventually obtain the flag. I noticed in the page’s JavaScript code an endpoint /api/suggestion (which I used in the automated exploit) where the token can be directly sent. Let’s move on to the exploitation phase.
๐ฏ Solution Path
Exploitation Steps
Initial setup
Since this is a somewhat simple challenge, I wonโt document every step I took, but Iโll go straight to the hints and how I found the tokens.
Exploitation
For the second token, it was quite simple I inspected the source of the page and found it in an HTML comment:
1
<!-- Token: 66E7AEBA46293C88D484CDAB0E479268 -->
For the third token, the hint was: A token in the JavaScript console.... So, the first thing I did was open the console, but I didnโt find anything, of course. Then, I inspected the page and discovered a JavaScript file named /thingy.js:
Thingy Source
Here, as we can see, there is some obfuscated JavaScript code. So, I used deobfuscate.io to deobfuscate it:
Deobfuscation
Finding the new token (5D1F98BCEE51588F6A7500C4DAEF8AD6). The next hint is: A token in the stylesheet.... Inspecting the page source, I found /styles.css where the new token (29D3065EFED4A6F82F2116DA1784C265) was located. The next hint is: A token in javascript code.... As we saw in the previous image, Thingy Source, there was another token in a comment (9D34859CA6FC9BB8A57DB4F444CDAE83). After submitting it, I received the new hint: A token in a header.... I immediately thought it might be in the request header, so I extracted it using ChromeDevTools:
Header Token
BF1E1EAA5C8FDA6D9D0395B6EA075309, receiving the new hint: A token in a cookie.... As we can see from the Deobfuscation image, the deobfuscated JS also contained another token that was set in the cookies, so I took it directly from there without opening ChromeDevTools: 647E67B4A8F4AA28FAB602151F1707F2, receiving the new hint: A token where the robots are forbidden from visiting.... I immediately thought it might be in the /robots.txt file, and indeed, by visiting the page, I found another route /a-magical-token.txt, which contained the token 3FB4C9545A6189DE5DE446D60F82B3AF. After submitting it, I received the new hint: A token where Google is told what pages to visit and index.... Google’s crawler (or rather Google’s spider) uses the /sitemap.xml file, so by visiting the page, I found the new token F1C20B637F1B78A1858A3E62B66C3799, receiving the new hint: A token received when making a DELETE request to this page.... I used (https://reqbin.com/) to make a DELETE request to the page:
DELETE Request
receiving the new token 32BFBAEB91EFF980842D9FA19477A42E and the new hint: A token in a TXT record at i-spy.chall.lac.tf.... TXT records are associated with DNS (Domain Name System), so I used the dnsrecon tool to extract the TXT record from the DNS i-spy.chall.lac.tf:
1
dnsrecon -d i-spy.chall.lac.tf
Dnsrecon Output
It could also be extracted using dig. Once I obtained the last token 7227E8A26FC305B891065FE0A1D4B7D4, by submitting it, I was able to capture the flag.
Flag capture
Manual Flag
๐ ๏ธ Exploitation Process
Approach
The exploit collects all the tokens and sends them to the /api/suggestion endpoint, extracting the flag and printing it.
