Client-side-again

Challenge Overview

This website asks us for the password. Since there is no request made when we click verify, we'll asume that some JS is working in the client-side.

Analyzing it we saw a very long code in line 10. I used https://beautifier.io/ to see it clearly, then realize it's clearly obfuscated. My go-to option in cases like this one is: https://thanhle.io.vn/de4js/ which gets us the deobfuscated JS code:

function verify() {
    checkpass = document.getElementById('pass').value;
    split = 0x4;
    if (checkpass.substring(0x0, split * 0x2) == 'picoCTF{') {
        if (checkpass.substring(0x7, 0x9) == '{n') {
            if (checkpass.substring(split * 0x2, split * 0x2 * 0x2) == 'not_this') {
                if (checkpass.substring(0x3, 0x6) == 'oCT') {
                    if (checkpass.substring(split * 0x3 * 0x2, split * 0x4 * 0x2) == 'daf93}') {
                        if (checkpass.substring(0x6, 0xb) == 'F{not') {
                            if (checkpass.substring(split * 0x2 * 0x2, split * 0x3 * 0x2) == '_again_4') {
                                if (checkpass.substring(0xc, 0x10) == 'this') {
                                    alert('Password Verified');
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}

It's clearly a simple logic that isn't a good security measurment for validating the password.

Exploitation Python Script

flag = bytearray(b" " * 40)

flag[0:8] = b'picoCTF{'
flag[7:9] = b'{n'
flag[8:16] = b'not_this'
flag[3:6] = b'oCT'
flag[24:32] = b'daf93}'
flag[6:11] = b'F{not'
flag[16:24] = b'_again_4'
flag[12:16] = b'this'

print(flag.decode())

I converted 0xb to 11, 0xc to 12 (hex -> string)

made by k0d