noxCTF – References writeup

We start the challenge with this URI:

http://chal.noxale.com:5000/

Opening this page, we get a simple site, only containing the plaintext “where the **** did you come from?”.

After reading through the site’s sources, we’ve found one script, which by itself is interesting, as no additional functionality is offered to the user:

<script src="js/index.js"></script>

The script reads:

$( document ).ready(function() {
    $.ajax({
        url: "check_from_google",
        data: NaN,
        success: function(result) {
            $("#status").html("hello old friend! " + atob(result))        
        },
        dataType: NaN
    }).fail(function() {
        $("#status").html("where the **** did you come from?")
    });
});

Simply put, the script sends a request to a page called “check_from_google” and changes the text according to the response’s status code.
Along with the rest of the hints, we can assume that check_from_google probably checks the referer header for the string “google”.

The next step is pretty clear- change the referer header to be google.com or any other domain containing the substring “google”.

We got back an HTTP 200 OK with the following payload:

    bm94Q1RGe0cwb2dMM18xc180bFc0WXNfVXJfYjNTVF9SM2YzcjNuYzN9

Decoding it as base64 data, we get the flag:

    noxCTF{G0ogL3_1s_4lW4Ys_Ur_b3ST_R3f3r3nc3}

In my opinion, this was one of the simpler challenges in this CTF.

Leave a Reply

Your email address will not be published. Required fields are marked *