Level 5 – Hackoween II #ZomatoCTF

Git gud

Another Git level. But this one was easier.
Just like previous level, this also had a git repo link, a form to submit code, and commented out obfuscated JavaScript code in page source.

Run the javascript code in console. and it shows an alert box with openssh private key.

Can’t copy it from alert box.

Override alert method to log private key in console instead of showing as alert box.

window.alert = console.log

After overriding built-in javascript function alert with console.log, run the javascript code again. Copy the key and save it.

I saved it as zom.pem , changed to file permission so that it can be used with ssh, and cloned the repository using this private key.

chmod 400 zom.pem
GIT_SSH_COMMAND='ssh -i zom.pem -o IdentitiesOnly=yes' git clone [email protected]:c37r/Z2l0IGd1ZAo.git

Opened the repo in Sublime Merge (Yes I prefer GUI) and found this base64 encoded string.

echo "Q29kZSBpcyBYakx0JEUqVDIjNmE5Jg==" | base64 -d
"Code is XjLt$E*T2#6a9&"

Decoding it gives the code. Submit the code in CTF level page and get the flag.

Leave a Reply

Your email address will not be published. Required fields are marked *