PwCTF WRITEUP [PART 1]

Hey everyone and welcome to my very first writeup! It only took me almost 3 years to finally get around to doing one. I’d really appreciate your feedback, as this will help me improve and learn.

This writeup is for the mini-CTF created by PwC Israel – https://prequal.pwctf.com. I’ll focus on the first part of the CTF, which is to successfully find the username and password to then access part 2. As for what I used to do the CTF: Windows laptop and Firefox browser.

Upon clicking on the site, you can see it consist of a Home page and an About page. With some mouse clicking, you can see that the Home page has disabled right clicking whereas the About page has not. This is the first clue that something must exist in the source code of the Home page.

Initial_Screen

You can then open up the Web Developer option and select Debugger (or Ctrl+Shift+S). The main file we are interested in is the login.php file. Start by scrolling through the code and scanning every line for any clues.

Source_Code

Once you’ve scanned the code, you can see that lines 13, 64, 1337 and 2048 contain information that serve as clues. I haven’t taken a screenshot of each of the lines but will list them below:

Line 13 states

<!-- Rotation -->

Line 64 states

<!-- Line: Base -->

Line 1337 states

<!-- So You Think You Got What It Takes To Own The CTF? 306230303131313130313... -->

Line 2048 states in its comment

<!-- I Think You Missed It :S. Bip, Bip, Bip, Reversing To Lise esaB... -->

The long number listed is (couldn’t fit it in the above code excerpt due to formatting):

306230303131313130313062303031313131303130623031303030313030306230313131303031313062303130313130303030623031303130313130306230313130313130303062303130313031313030623031303030313130306230313030313130313062303131313130313030623031303131303130306230313031313031303062303131313030303130623030313130303131306230313030313030313062303031313030303130623030313130303030306230313131313030303062303130303131303130623031313031313031306230313131313030313062303131303131303030623031303030313131306230313130313030303062303131303030313130623031313030303031306230313031303131303062303131313031303030623031313030303130306230313131303131313062303130313031313030623031313131303030306230313031303131313062303031313030313130623031313031313131306230303131303031313062303130303030303130623030313130303131306230313131303030303062303131313031303130623031303031313131306230313130303030313062303130313031313030623031313130313030306230313030313131303062303131313031313030623031303130303030306230313130303131303062303130313031313030623031313130313130306230313030313130313062303031313030303030623031303030303031306230303131303030303062303130303130303130623031303030313030306230313031303131313062303130313030303030623031303130313130306230303131303131303062303130313031313030623031303030313130306230313030313130313062303131303031313130623031303130303131306230313131313031303062303131303131313130623031313031313030306230313030313030313062303031313030313030623031313130303030306230303131303030313062303130313031313130623031303130303030306230313031303131303062303131313031303030623031313030303130306230313030313131303062303130313130303130623031313130313130306230313030313030303062303131303131303130623031303030303031306230313131303131313062303131313130303130623031303130303031306230313030303030313062303031313031303030623031303130313130306230313130313130313062303130313130313030623031313031303130306230313030313131303062303131303131303130623031303030303031306230313130313130303062303131313130303030623031313130313131306230313030313130313062303131313130303130623031303030313031306230313031303030313062303130313130313030623031313130313031306230313131313030313062303130303031313130623031303031313030306230313131313031303062303130303030303130623031313130313131306230313030313130303062303131303131303130623031303031313030306230313030313031303062303130303131303030623031313031303131306230313030313130303062303130303130313030623031303131303130306230313130313031313062303130303031303030623030313130303130306230313030313130303062303131313130313030623031313130313031306230313131303131313062303130313031313030623031313130313030306230313130303031303062303131313031313130623031303130313130306230313130303130313062303031313031303130623031303031303130306230313131303030313062303131303031303030623031303130313131306230313031303030303062303130313031313030623031313130313030306230313130303031303062303131303130313030623031313130303130

[For all the conversions, there are many sites available on the internet or you can write your own program.]

After looking at this for a while and several discussions, you can see that this is indeed Hex. So the next step to perform would be to convert this from Hex to Text. This results in the following:

0b001111010b001111010b010001000b011100110b010110000b010101100b011011000b010101100b010001100b010011010b011110100b010110100b010110100b011100010b001100110b010010010b001100010b001100000b011110000b010011010b011011010b011110010b011011000b010001110b011010000b011000110b011000010b010101100b011101000b011000100b011101110b010101100b011110000b010101110b001100110b011011110b001100110b010000010b001100110b011100000b011101010b010011110b011000010b010101100b011101000b010011100b011101100b010100000b011001100b010101100b011101100b010011010b001100000b010000010b001100000b010010010b010001000b010101110b010100000b010101100b001101100b010101100b010001100b010011010b011001110b010100110b011110100b011011110b011011000b010010010b001100100b011100000b001100010b010101110b010100000b010101100b011101000b011000100b010011100b010110010b011101100b010010000b011011010b010000010b011101110b011110010b010100010b010000010b001101000b010101100b011011010b010110100b011010100b010011100b011011010b010000010b011011000b011110000b011101110b010011010b011110010b010001010b010100010b010110100b011101010b011110010b010001110b010011000b011110100b010000010b011101110b010011000b011011010b010011000b010010100b010011000b011010110b010011000b010010100b010110100b011010110b010001000b001100100b010011000b011110100b011101010b011101110b010101100b011101000b011000100b011101110b010101100b011001010b001101010b010010100b011100010b011001000b010101110b010100000b010101100b011101000b011000100b011010100b01110010

which is Binary.

In order to get a clean binary list, you can strip the 0b. I used Python, as it is my preferred language, to do it.
Python

That gives you the list with just and 1.

You can then take the Binary value and convert it to Text which results in the following:

==DsXVlVFMzZZq3I10xMmylGhcaVtbwVxW3o3A3puOaVtNvPfVvM0A0IDWPV6VFMgSzolI2p1WPVtbNYvHmAwyQA4VmZjNmAlxwMyEQZuyGLzAwLmLJLkLJZkD2LzuwVtbwVe5JqdWPVtbjr

Now, remember that comment on line 13? Does the word Rotation on Line 13 ring any bell? Ding ding ding! It means Rot13, the cipher. You can then take your recently convert Bin2Text and do a Rot13 conversion, which results in:

==QfKIyISZmMMd3V10kZzlyTupnIgojIkJ3b3N3chBnIgAiCsIiZ0N0VQJCI6ISZtFmbyV2c1JCIgoALiUzNjlDN4IzMwAzNykjZlRDMhlTYmNjYzYWYxYWMxQ2YmhjIgojIr5WdqJCIgowe

After that, the second last comment left with a hint is line 2048. We can see that it tells us to reverse to line 64 but has Base written backwards esaB. This indicates that you will need to reverse your most recent conversion, which will result in:

ewogICJqdW5rIjogIjhmY2QxMWYxYWYzYjNmYTlhMDRlZjkyNzAwMzI4NDljNzUiLAogICJ1c2VybmFtZSI6ICJQV0N0ZiIsCiAgInBhc3N3b3JkIjogInpuTylzZk01V3dMMmZSIyIKfQ==

This then looks very much like an encoding mechanism, Base64. This is the last comment with a hint that you have not used. You now know that you must Base64 decode this to receive your login details:

{
"junk": "8fcd11f1af3b3fa9a04ef9270032849c75",
"username": "PWCtf",
"password": "znO)sfM5WwL2fR#"
}

Take your username and your password (which are specific to your sessionid, so no two login details will be the same), and login.

There you have it! You’ve made it through the first part!

I hope this writeup was valuable for you. If so, please feel free to leave feedback on this or click here and reach out to me otherwise.

Thank you and happy hacking!

Leave a Reply