PicoCTF-2021 Writeup
Search…
⌃K

Ancient History

Problem

I must have been sleep hacking or something, I don't remember visiting all of these sites... http://mercury.picoctf.net:45211/ (try a couple different browsers if it's not working right)

Solution

  1. 1.
    Visiting the website just shows "Hello World!", but viewing the source shows a lot of obfuscated JavaScript.
  2. 2.
    The browser history shows that the JavaScript performs some redirects where the URL parameter is a single character of the flag.
  3. 3.
    The issue is that visits to a page with the same character as the parameter are collapsed on the history page of modern browsers. So, let's try deobfuscating the code using JSNice.
  4. 4.
    Interestingly, the actual changes to the history (window.history.pushState) are made in the clear. Therefore, the obscuration is a meaningless distraction.
  5. 5.
    Let's search the page HTML using a regular expression urlpath:.\/index\.html\?. and then combine the last character of all matches using a Python script.

Flag

picoCTF{th4ts_k1nd4_n34t_0b0a1adf}
Reverse Engineering - Previous
Transformation
Next - Web Exploitation
Bithug
Last modified 6mo ago