Home CTFs | HeroCTF_2024 | Reverse | AutoInfector
Post
Cancel

CTFs | HeroCTF_2024 | Reverse | AutoInfector

AutoInfector

image

When we get to this website we have a button to download a file. If we look at the JS that deals with the action of the button, we get the following code:

image

Here is a clearer version of the code:

image

We can use deobfusctor websites like JS Deobfuscator so that we get a better view of the code.

The interesting part starts with the onclick section. Lets break this down line by line:

  1. First it will get an element from the web page (the title)
  2. Then it will hash it in md5 (hash1)
  3. After that, it will prompt an input box to allow you to provide the password
  4. If the provided string isn’t empty, it will hash it in md5 (hash2)
  5. Then it will xor the hash1 with hash2
  6. If the result is equal to 11dfc83092be6f72c7e9e000e1de2960 (hash3) then it will prompt the flag

So basically we have: hash3 = hash1 XOR hash2

We know hash3 and hash1. The only thing we don’t know is hash2 because it depends on what we input. So if we do a XOR operation between the two known hash, we should get the hash we don’t know (basic XOR rule). So we can do the following:

image

Now that we have the hash we can crack it using hashcat:

image

The full hashcat command is justhashcat -m 0 known_hash ~/rockyou.txt

And now we can use this as the password to get the flag. And.. Voila:

image

This post is licensed under CC BY 4.0 by the author.