This page looks best with JavaScript enabled

Flare-On 8 2021 Challenge 1 Solution - 01_credchecker

Hosted by FireEye's FLARE team from 10 September - 22 October

 ·  ☕ 2 min read  ·  🌚 drome

Thanks drome for sharing his knowledge and skills! He completed all 10 challenges and this series of writeups is done by him :)

Details Links
Official Challenge Site https://flare-on.com/
Official Challenge Announcement https://www.fireeye.com/blog/threat-research/2021/08/announcing-the-eighth-annual-flare-on-challenge.html
Official Solutions https://www.mandiant.com/resources/flare-on-8-challenge-solutions
Official Challenge Binaries http://flare-on.com/files/Flare-On8_Challenges.zip

01_credchecker

Welcome to Flare-On 8! This challenge surves as your tutorial mission for the epic quest you are about to emark upon. Reverse engineer the Javascript code to determine the correct username and password the web page is looking for and it will show you the flag. Enter that flag here to advance to the next stage. All flags will be in the format of valid email addresses and all end with “@flare-on.com”.

This challenge is a JavaScript challenge that comes with an admin.html file as well as some image files. Opening the admin.html file, we see the following screen:

Administrator Verification Form Webpage

We open admin.html and find the following JS script in the source:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
var form = document.getElementById("credform");
var username = document.getElementById("usrname");
var password = document.getElementById("psw");
var info = document.getElementById("infolabel");
var checkbtn = document.getElementById("checkbtn");
var encoded_key = "P1xNFigYIh0BGAofD1o5RSlXeRU2JiQQSSgCRAJdOw=="

function dataEntered() {
    if (username.value.length > 0 && password.value.length > 0) {
        checkbtn.disabled = false;
    } else {
        checkbtn.disabled = true;
    }
}

function checkCreds() {
    if (username.value == "Admin" && atob(password.value) == "goldenticket") 
    {
        var key = atob(encoded_key);
        var flag = "";
        for (let i = 0; i < key.length; i++)
        {
            flag += String.fromCharCode(key.charCodeAt(i) ^ password.value.charCodeAt(i % password.value.length))
        }
        document.getElementById("banner").style.display = "none";
        document.getElementById("formdiv").style.display = "none";
        document.getElementById("message").style.display = "none";
        document.getElementById("final_flag").innerText = flag;
        document.getElementById("winner").style.display = "block";
    }
    else
    {
        document.getElementById("message").style.display = "block";
    }
}

Note that atob converts from Base64 to ASCII and btoa does the reverse. Clearly we need to put in the username as Admin, and the password as the Base64-encoded representation of goldenticket, which is Z29sZGVudGlja2V0. We enter it and it gives us the following message:

Welcome to Flare-On 8 here is your first flag:
enter_the_funhouse@flare-on.com

Flag

enter_the_funhouse@flare-on.com
Share on