NCS Competition 2021 Writeup
  • HHousen National Cyber Scholarship Competition 2021 Writeup
  • Forensics
    • FE02 - 100pts
    • FE03 - 100pts
    • FH01 - 500pts
    • FE04 - 100pts
    • FM01 - 250pts
    • FM02 - 250pts
    • FM03 - 250pts
    • FE01 - 100pts
  • Crypto
    • CM01 - 250pts
    • CM02 - 250pts
    • CX01 - 1000pts
    • CH01 - 500pts
    • CH02 - 500pts
  • Binary
    • BM01 - 250pts
    • BM02 - 250pts
    • BM03 - 250pts
    • BX01 - 1000pts
    • BX02 - 100pts
    • BE01 - 100pts
    • BE02 - 100pts
    • BH01 - 500pts
  • Networking
    • NM01 - 250pts
    • NE01 - 100pts
  • Web
    • WX01 - 1000pts
    • WE01 - 100pts
    • WE02 - 100pts
    • WH01 - 500pts
    • WH02 - 500pts
    • WM01 - 250pts
    • WM02 - 250pts
    • WM03 - 250pts
    • WM04 - 250pts
    • WM05 - 250pts
  • Challenge Name
Powered by GitBook
On this page
  • Briefing
  • Solution
  • Flag

Was this helpful?

Edit on Git
  1. Web

WM02 - 250pts

PreviousWM01 - 250ptsNextWM03 - 250pts

Last updated 4 years ago

Was this helpful?

Briefing

View the page at and try to get the flag.

Solution

  1. Looking at the source code we see an h1 tag with data attributes: <h1 id="user" data-user-name="henrywhite" data-user-id="152874" data-user-ref="c897cd08c105c0eff5ca296f56eaa4ab">Hello henrywhite!</h1>

  2. Changing the data-user-name to admin changes the text to User data error.

  3. Looking at /site.js we see that checkUser() is called every second using setInterval at the bottom of the file. The following if statement contains the logic we can take advantage of: if (get("user").dataset['userRef'] === hash(get("user").dataset['userName'] + "_" + get("user").dataset['userId']).split("").reverse().join("")) {. We can change the data-user-name to admin and then run hash(document.getElementById("user").dataset['userName'] + "_" + document.getElementById("user").dataset['userId']).split("").reverse().join("") to get the data-user-ref to be 1dc3b8bdbf88d16df8a767eacb86f14c. However, pasting this in causes the site to say Invalid user.

  4. The solution is to also change data-user-id so it equals "0". The final HTML should look this this: <h1 id="user" data-user-id="0" data-user-name="admin" data-user-ref="31f7934415f3d31c64359bd51d378177">Hello admin!</h1> You can get the data-user-ref after changing data-user-id="0" data-user-name="admin" and then running hash(document.getElementById("user").dataset['userName'] + "_" + document.getElementById("user").dataset['userId']).split("").reverse().join("").

  5. Replacing the HTML as discussed above prints the flag.

Flag

epoch_wizard

https://cfta-wm02.allyourbases.co