We start the challenge with this URI:
http://chal.noxale.com:5000/
Opening this page, we get a simple site, only containing the plaintext “where the **** did you come from?”.
After reading through the site’s sources, we’ve found one script, which by itself is interesting, as no additional functionality is offered to the user:
<script src="js/index.js"></script>
The script reads:
$( document ).ready(function() {
$.ajax({
url: "check_from_google",
data: NaN,
success: function(result) {
$("#status").html("hello old friend! " + atob(result))
},
dataType: NaN
}).fail(function() {
$("#status").html("where the **** did you come from?")
});
});
Simply put, the script sends a request to a page called “check_from_google” and changes the text according to the response’s status code.
Along with the rest of the hints, we can assume that check_from_google probably checks the referer header for the string “google”.
The next step is pretty clear- change the referer header to be google.com or any other domain containing the substring “google”.
We got back an HTTP 200 OK with the following payload:
bm94Q1RGe0cwb2dMM18xc180bFc0WXNfVXJfYjNTVF9SM2YzcjNuYzN9
Decoding it as base64 data, we get the flag:
noxCTF{G0ogL3_1s_4lW4Ys_Ur_b3ST_R3f3r3nc3}
In my opinion, this was one of the simpler challenges in this CTF.