Bluehat CTF — Mindblow
I had the chance to play the Bluehat CTF this year made by Jonathan Bar Or. This blog will discuss the way I solved the Regex JavaScript challenge Mindblow. I’ve written up some other challenges here.
To solve this challenge we need to figure out a password. The challenge page contained the following JavaScript function:
Looking through the checkPassword function the mao.length != 10 on line 20 tells me that the password has to be 10 characters long. The first regex RegExp("^[a-z]+$") tells us to use only lowercase alphabet characters and all the other regexes give us hints on which characters are in the password and the order in which they appear in.
The following characters appear once or twice in the regular expressions:
1 o
2 r
2 a
1 e
1 d
2 g
1 nAdding together the above characters and their frequencies gives us 10 characters, which we know is the final length of the password. At first I tried to walk through the regular expressions one at a time to manually build up the solution. To help me check if my solution was correct I modified the check password function to give me feedback on how close I was to solving the challenge. I simply used the JavaScript console in chrome (hit f12 to open the console) to overwrite the checkPassword function by copy-pasting the following JavaScript. I changed the alert("access denied") code to log how many regex checks I passed:
Building the solution manually went something like this:
“aaaaaaaaaa” passed 1/14
2nd regex: RegExp(".*o.*r.*a") “aaaaaaaora” passed 2/14
3rd regex: RegExp(".*o.*e.*") “aaaaaaoera” passed 3/14
4th regex: RegExp(".*d.*e.*") “aaaaaodera” passed 4/14
5th regex: RegExp(".*d.*r.*r.*") “aaaaodrera” passed 6/14
7th regex: RegExp(".*o.*n.*") “aaaondrera” passed 7/14
8th regex:RegExp(".*n.*g.*e.*") “aaongdrera” passed 9/14
10th regex: RegExp(".*r.*o.*") “aongdreroa” passed 10/14
11th regex: RegExp(".*d.*g.*e.*") “aondgreroa” passed 11/14
12th regex: RegExp(".*r.*g.*") “aondrgeroa” passed 13/14
14th regex: RegExp(".*r.*g.*g.*) “agrondgera” contains all the characters but can’t pass the 14th regex
I tried to manually massage the string to pass the final regex but didn’t have much luck. Obviously, rather than think about it intelligently, it’s time to brute force! I figured that since I’m passing 13/14 checks, I would start the brute force from the “agrondgera” string. I found a JavaScript permutation script on stack overflow, modified the checkPassword function to print the value once found and executed the following JavaScript in the console:
The script quite quickly found ~100 valid permutations of the “agrondgera” string that passed all 14 regexes. A couple of the permutations jumped out at me, “adrognrage” and “adrgorange”. namely the “rage” and “range” parts made me think that the password might be a guessable string. I removed the letters r-a-g-e from the string and looked the remaining letters up on https://www.word-grabber.com which resulted in…
“dragonrage” was the password which got me the flag!
I’ve written up some other challenges here: https://medium.com/@jpg.inc.au/bluehat-2018-ctf-ef63c48c3a7a