noxCTF – References writeup

We start the challenge with this URI:

Opening this page, we get a simple site, only containing the plaintext “where the **** did you come from?”.

After reading through the site’s sources, we’ve found one script, which by itself is interesting, as no additional functionality is offered to the user:

<script src="js/index.js"></script>

The script reads:

$( document ).ready(function() {
        url: "check_from_google",
        data: NaN,
        success: function(result) {
            $("#status").html("hello old friend! " + atob(result))        
        dataType: NaN
    }).fail(function() {
        $("#status").html("where the **** did you come from?")

Simply put, the script sends a request to a page called “check_from_google” and changes the text according to the response’s status code.
Along with the rest of the hints, we can assume that check_from_google probably checks the referer header for the string “google”.

The next step is pretty clear- change the referer header to be or any other domain containing the substring “google”.

We got back an HTTP 200 OK with the following payload:


Decoding it as base64 data, we get the flag:


In my opinion, this was one of the simpler challenges in this CTF.