RTCP - No Sleep

Posted on sam. 25 janvier 2020 in CTF

solves : 138

Point : 765

Jess doesn't get enough sleep, since he's such a gamer so in this challenge, you'll be staying up with him until 4:00 in the morning :D on a Monday! Let's go, gamers!

The webpage show a JS countdown until when the flag will be show. But, we can't wait that long to get the flag!

nosleep.png

We have two way to do it. The both can be done without leaving the browser.

JS

If you read the JS code inside the page, you can see that the date is setup with the two first value on the tab.

var _0x1d8e=['gamerfuel=Jan\x2027,\x208020\x2004:20:00','Jan\x2027,\x208020\x2004:20:00','getTime','exec','floor','getElementById','gamer\x20timer','AES','decrypt','U2FsdGVkX18kRm6FDkRVQfVuNPTxyOnJzpu8QnI/9UKoCXp6hQcley11nBnLIItj','ok\x20boomer','innerHTML','Utf8','cookie'];(function(_0x29eed8,_0x4bb4aa){var _0x47e29c=function(_0x2d3fd2){while(--_0x2d3fd2){_0x29eed8['push'](_0x29eed8['shift']());}};_0x47e29c(++_0x4bb4aa);}(_0x1d8e,0x99));var _0x2ad1=function(_0x545e19,_0x47cdd3){_0x545e19=_0x545e19-0x0;var _0x4275c2=_0x1d8e[_0x545e19];return _0x4275c2;};document[_0x2ad1('0x0')]=_0x2ad1('0x1');var countDownDate=new Date(_0x2ad1('0x2'))[_0x2ad1('0x3')]();var x=setInterval(function(){var _0x27a8c6=new Date(/[^=]*$/[_0x2ad1('0x4')](document[_0x2ad1('0x0')])[0x0])[_0x2ad1('0x3')]();var _0x5b92f1=new Date()['getTime']();var _0x3a5a33=_0x27a8c6-_0x5b92f1;var _0x4214a2=Math[_0x2ad1('0x5')](_0x3a5a33/(0x3e8*0x3c*0x3c*0x18));var _0x48c0d9=Math[_0x2ad1('0x5')](_0x3a5a33%(0x3e8*0x3c*0x3c*0x18)/(0x3e8*0x3c*0x3c));var _0x2de271=Math[_0x2ad1('0x5')](_0x3a5a33%(0x3e8*0x3c*0x3c)/(0x3e8*0x3c));var _0x240ffb=Math['floor'](_0x3a5a33%(0x3e8*0x3c)/0x3e8);document[_0x2ad1('0x6')](_0x2ad1('0x7'))['innerHTML']=_0x4214a2+'d\x20'+_0x48c0d9+'h\x20'+_0x2de271+'m\x20'+_0x240ffb+'s\x20';if(_0x3a5a33<0x0){clearInterval(x);var _0x1018af=CryptoJS[_0x2ad1('0x8')][_0x2ad1('0x9')](_0x2ad1('0xa'),_0x2ad1('0xb'));document[_0x2ad1('0x6')](_0x2ad1('0x7'))[_0x2ad1('0xc')]=_0x1018af['toString'](CryptoJS['enc'][_0x2ad1('0xd')]);}},0x3e8);

We can edit them to a past day and copy/past all the new code to the web console.

gamerfuel='Jan\x2027,\x202017\x2004:20:00','Jan\x2027,\x2082017\x2004:20:00'

Cookie

The date setup with the JS code is stocked on a cookie. As we did for the JS exploit, we can edit the cookie to a new past day.

Jan 27, 2017 04:20:00

The result is the same. The flag appears:

Jess will let you be a real gamer in:
rtcp{w0w_d1d_u_st4y_up?}

hack learn ctf rtcp rice tea cat panda web js reverse cookie