Level 7 – Hackoween II #ZomatoCTF

On Time, every time!

So the challenge is to create a TOTP for current timestamp and of a timestamp exactly 4 hours ago.

TOTP is output of mixing of timestamp, a seed, sugar, spice and everything nice.

So we just need a seed and two timestamps, of NOW and 4 HOURS AGO.

Viewing page source revealed a ruby code with encoded string. Also a comment above the tag saying “ROT47”

Used CyberChef (https://gchq.github.io/CyberChef/) to decode this ROT47 and it gave JS code (JSF*ck)

Run this code (or decode it) and it gave a hint,

seed is your email in lower case, encoded in Base32

Used CyberChef again to base32 encode my email.
Used https://www.npmjs.com/package/totp-generator to generate two TOTPs giving them current timestamp and a timestamp of 4 hours ago.

To save time I just used https://npm.runkit.com/totp-generator to run the code I wrote.

var totp = require("totp-generator")
var nowTime = Date.now();          //timestamp now
var pastTime = (nowTime - (60*60*4*1000));       // timestamp  4 hours ago
var secret = "NVZC43LBMRTXK6LZPFAGO3LBNFWC4Y3PNU=====";  // base32 encoded email
const nowToken = totp(secret);
const pastToken = totp(secret, { timestamp: pastTime });
console.log("now: " + nowToken);
console.log("4 hours ago: " + pastToken);

Entered these TOPTs in form and got the flag.

Leave a Reply

Your email address will not be published. Required fields are marked *