capture the flag, hacking, web application security

PicoCTF 2017 – What Is Web

Another day, another challenge.

In today’s blog post we are solving the challenge, “What Is Web” from the PicoCTF challenge.

Let’s start!

Clicking on the challenge we see:

PicoCTF_What_Is_Web_7

OK, so we need to find out how to use HTML.

Looking at the hints we see:
PicoCTF_What_Is_Web_2

Clicking on the website we see:

PicoCTF_What_Is_Web_3Doing a right click, view source we see:

PicoCTF_What_Is_Web_4

At the bottom of the screen in the green letters (which are comments that are not displayed in the browser) show that we have the first part of the flag.

Now we need to find the second and third part of the flag.

Looking back at the page source we see two different files that are referenced: hacker.css and script.js

Let’s look at hacker.css first and see what’s there.

Going to that file we see the second part of the flag at the top of the browser:

PicoCTF_What_Is_Web_5

Now let’s look at the script.js file and see if we can find the final part of the flag…

Going to the script.js file we see:

PicoCTF_What_Is_Web_6

We now have the three parts of the flag!

Combining the parts together and submitting the flag, we’ve acquired 20 points!

capture the flag, hacking, web application security

InfoSec Institute CTF Challenge #10

Another day, another challenge…

Today’s challenge will be on Challenge #10 from the InfoSec Institute CTF program.

Going to the following link we’re provided with the following page.

infosec_10_intro

Doing a right click view page source we see the following:

infosec_10_pagesource

There’s a listen button. If we click on that button we’re presented with a flag.nav file. Maybe the flag is in there? Let’s see.

Opening the file we noticed that the file is one second, and we can’t hear the audio.

Going back to the original page and doing a right click save link as… allows us to save the audio.

 

There’s a GREAT application called Audacity that can be used to change the pitch and speed of an audio file.

Going here you will be presented with the Audacity webpage.

Downloading Audacity and opening the flag.wav file we see the following:

infosec_10_flag_audacity

Playing the file it’s still inaudible.

Like I wrote above, with Audacity you can change the speed of sound of the audio without changing the pitch.

Going to the toolbar and selecting effects there’s a “changing speed” option. Clicking this option we can specify different speeds. After playing with the different speeds (.75x, .50x) and making it .22x and playing the audio again we can hear the flag.

The flag is:

infosecflag_is_sound.

We found the flag!

Lessons learned:

Our trick of doing the right click view source helped a little bit. When doing this we noticed that there is a file we needed to download. After downloading the file and playing the audio it was inaudible. Going to Google we downloaded an application that aided us to in interpreting the audio. After adjusting the speed we were able to get the flag.