The confusion with the x's isn't cuz of the with statement. The parameter х (U+0445 or 1093) isn't the x from the English alphabet. It is a Cyrillic alphabet which only looks like it. And this input variable was never used in the code except for the last eval() which dynamically generated 'х==c(weird_string,h(х))' referring to our input х. THAT was the beauty of the challenge :P
They fooled us all lol. Btw since you didn't mention why the browser crashes, it's cuz the for loop in c() runs for a.length times and a regex doesn't have this property making it an infinite loop and crashing the browser due to memory limits. And by this they fooled us not once but TWICE! xD
This trick to use similar (or equal) looking characters is also a vuln. in Windows. (An Example here: ua-cam.com/video/7syW3-zyRO8/v-deo.html) Kinda wondering, why javascript (and other languages as well) allow non-ansii characters to be used outside of (string) variables.
I love watching these videos. I’m at a stage in life where I kind of understand what is going on, enough to comprehend the logic expressed, but not enough to be able to try this myself.
this some next level thinking and reasoning i am just not ready for. and its scary that there are so many people that can do this and i can barely comprehend it.
Nah figuring out stuff like this takes hours and lots of trial and error, it's all just edited out here and only the final conclusions are presented. Watching a guy do "does this work? nah, how about this?" for 4 hours isn't good entertainment
@@excalibirb9204 No it's because it's insanely dynamic. The opposite of child's play. The programmer has basically no guarantees about the state of the runtime at any specific point in the program, which can make it very hard to debug.
The recent breaches at some big companies were hackers cleverly injecting 15 lines of JS. Mirai I think it was called. So I'd say it's militant enough. Enough for the FBI to have them snitch and employ them.
@@peregrinusoblivione4967 It's still pretty horrific at breaching systems. For that there really is no other reliable way bessides C/C++ and Assembly language
I just want to thank you for not taking a jab at JS. This Video was really interesting. I was torn between trying it myself first and watching your solution but I'm glad to have watched your video instead.
Same here, joined for a few hours and only solved the noob question :p The argument was not an x but a homograph of x as others also mentioned and that took me a bit to figure out. Also I didn't figure out exactly why the browser hanged but it was so annoying, yet I didn't want to spend time on that. I took the same approach for decryption but heard that there was another way based on low redundancy of the internal variables (a and b). I hope I find time and motivation to look into it soon.
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit contact via:::::WHATSAPP>>> wa.me/17472081186 remember a stitch in time saves nine
Basically to explain 'with' statement, you enter an object to it like: with( ) { // CODE HERE } then, basically when you call anything, it first checks the block scope if the variable exists, then, the window. Else, it tries the properties of the object you put in. So in theory, this should work. with (console) { log("Hello."); }
i want to appreciate ur time and dedication towards the efforts by you not related to solving the ctf but the thing not many noticed, which was the ur skills in copying and redrawing the "google capture the flag" logo as your thumbnail XD lol. Seriously how the hell did u do that, which software?
I never got to solve this challenge because I got the length of the hash wrong. But the argument x is not x but a unicode that looks like x, that is why the scoping looks weird :)
However, there exists other "chars", which are interpreted right away and which can be used to obfuscate code, if you use them as actual non-printable "chars" (copied from the char table) instead of (what they're usually used for) as HML entities. Like the RTL mark. I use that to obfuscate source code (browser view source code, but also some IDEs), and while the code is run as it should, it does fool some RegExes used by bots (It's quite effective in anti spamming). The W3C validator, however, is not fooled, that's its only weakness. It throws an error. From Wikipedia: _"The right-to-left mark (RLM) is a non-printing character used in the computerized typesetting of bi-directional text containing mixed left-to-right scripts (such as English and Cyrillic) and right-to-left scripts (such as Persian, Arabic, Urdu, Syriac and Hebrew). "_
Back in time, using the RTL mark on email addresses was an easy way of obfuscating, because they were "reversed", when going to the email program, while still bots didn't understand it. This doesn't work anymore though, no email program will accept it today.
I think the guys over at JS Safe should really have used a sha256 hash. Then there’s no need for all the anti debugging and it’s also unbreakable (given the current state of technology). Very fun challenge though!
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit contact via:::::WHATSAPP>>> wa.me/17472081186 remember a stitch in time saves nine
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit contact via:::::WHATSAPP>>> wa.me/17472081186 remember a stitch in time saves nine
Great video! Are there any similiar websites where you can practice JS by solving similiar tasks (I still feel I’m not ready to join CTF) ? Any recommendations are welcome.
Love you videos, i'm gradually learning more and more thanks to you ! Your explainations helps me understand the mindset behind these CTF, hopefully with more knowledge and time i'll be able to clear some CTF one day :) Cheers !
i is counting from 0 to the length of the cipher text 'a', right? And each character of that cipher text is addressed with a[i]. The other value (the key) that is being XORed uses b[i%b.length]. Length is 4. So b[i%4]. i modulos 4 means, the result will never be larger than 3... so 1%4 = 1 2%4 = 2 3%4 = 3 4%4 = 0 5%4 = 1 6%4 = 2 So this always references b[0], b[1], b[2], b[3], b[0], b[1], ... so it always repeats the key from the start.
This is how XOR Encryption works. If your key is smaller than your message, then the key is repeated. :) Example: xor("message", "key") ; '^' is the character for XOR Encryption in many languages. - m ^ k - e ^ e - s ^ y - s ^ k - a ^ e - g ^ y - e ^ k
Thanks for the quick reply, it helped. This was my first ever CTF and this was the first problem I attempted but was struck on it for the whole 2 days on it. Great explanation video :D
I tried to do this challenge myself, the part with the regexp object was the part I got stuck. About the with statement: `var test = {a: () => console.log("Hello local")}; var a = () => console.log("Hello world"); with (test) a();` outputs "Hello local" as it uses properties in the with statement as first lookup table instead of global scope.
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit contact via:::::WHATSAPP>>> wa.me/17472081186 remember a stitch in time saves nine
At first I though you could just use "CTF{" xor the input string to figure out the 4 bytes, but then remembered that that part of the input is ignored.
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit contact via:::::WHATSAPP>>> wa.me/17472081186 remember a stitch in time saves nine
Oh this problem, took me so long for me to realize why adding console.log kept changing output:/ ah should've used the web debugger instead of spamming console.logs, took me i don't even know how many hours (btw try dm coll it's quite easy once you found the correct line of code)
Eu não poderia simplesmente usar um depurador como GDB + engine do google e então ler os dados de "x" na memória em um ponto que ele está descriptografado?
He has a video on this. Go watch his web hacking video series. also overthewire.org has very easy ctf games that teach you the basics. Code Academy is the best site out there. Learn basic HTML, then some JS, then choose between either Python or Ruby to go full into. Basic SQL helps. But the best thing you can do is learn the theory behind it all and learn how computers think.
This challenge perfectly summarizes why I can't stand JavaScript. All of these weird rules like how scopes of variables extend to weird places to how you can use non-ASCII symbols that look like ASCII symbols for variable names. You know that your language has issues when even an authoritative documentation like MDN states that one of your builtin syntax statements is too unpredictable to reliably use. You can write bad code in any language, but JavaScript seems like it was specifically designed for spaghetti code. More than half the stuff in this crackme would be literally impossible in almost any other language, because they have rules in place to keep people from writing garbage like this.
Just wanted to let you know the point where you messed up is 14:05 . We are beginners here and don't know much, you didn't show the part at 14:05 which was the main thing from my pov.
This isn't what I'd call coding. I'd consider myself pretty knowledgeable about Javascript, and I was only barely able to understand everything after it was explained in the video.
I'm an outsider looking in. I tried to figure it out, but as far as I can tell "x" provides the password in hidden and obscured fashion. That of course being the main difficulty. Me having little knowledge of JS I know I would be incapable of solving for "x" assuming my assessment here is correct.
Using greek letter "look a likes" or other alphabeths as substitutes for roman letters is a well known technique for spamming purposes. Disquss had this problem for a period of time, probably because they used some reg ex operations to search for "spammy" words in english, while they wanted to allow for any language (and therefore alphabeth) to be used at the same time. Look up the UTF-8 table and see for yourself how many letters of other alphabeths are look-a-likes to roman letters. This is the hebrew letter HET: ח And this is the english n They're not the same, but they look the same. So, JS allows for non ASCII chars in function names, not sure why, but this is used to obfuscate the source code here. Digging deeper into how languages work, and recognizing, that LTR (Left to Right) is only the standard in english speaking world, you can further obfuscate the code by using *non-printable RTL mark,* which is used in for example arabic. Not sure how it works with JS, but HTML it works, I have placed a few RTL marks in my code strategically. The source code gets completely screwed up and unreadable, as it is shown reversed, but it's run and it works.
How people think Google Employees are: "Oh my God they must be really good at there job since Google hired them and must write code insanely well that a baby could read it" Google Employees when writing code: "I speak AblaEnglJaIes" Highly Skilled Programmers: "Ah I see... Keep your secrets to yourself" Google: "I see your a man of culture"
I took a stab at this myself, and yikes, I gave up after a while, because of the anti debugging measurements. I couldn't figure out what parts were important to the algorithm, and what parts were just anti debugger stuff. Also, this is written almost exclusively using "the bad parts" of javascript, overwriting the function with a string so you can't call it on successions, so I modified the function to be run multiple times to inspect what the hell it did aaaaaand, you guessed it, suddenly the sourcecode wasn't passed into anything anymore. I also couldn't make any sense of the c-function at all. You pass in the 'source' variable as a parameter and it tries to iterate over the length of it, but the source variable is a regexp object. It was a complete mess, I couldn't make sense of anything. It just goes to show that you need a completely different mindset to figure out a puzzle like this, vs when working with actual code that's meant to be understood. I'm fairly decent at reading and reconstructing minified JS into readable code, but that isn't doing weird stuff with scope, overwriting functions with strings as part of normal operations etc. I've always wanted to be a hacker, and CTF's seemed like a good place to start. I've done a few trivial ones, but I get frustrated and unable to continue when I hit a wall. This challenge especially just made me realize that I'm not a hacker, I'm a developer. I'll continue watching these videos, because they're highly educational, interesting and entertaining! And I can use the knowledge you provide to increase my ability to develop secure systems by avoiding pitfalls, but I'm not a "hacker" myself.
CoderCandy Google CTF is especially hard, don’t beat yourself up for being stumped. I like some of the other sites like pwnable.kr, xssgame.com, and cryptopals.com to name a few. These are nice because they have very very simple challenges to start you out with, and there is no time limit. Writeups like this can be deceptive because they’re so short, when in reality the challenge takes many hours to solve.
Yeah, that's what I came to terms with. I don't enjoy beating my head against a problem like this for hours on end. I understand and enjoy the writeups and can learn how to develop more secure systems form them, but I'm not the kind of person who discover the vulnerabilities in the first place. I leave that to people who actually enjoy banging their head against a problem for hours and hours on end for that sweet reward of eventually cracking it. I've done a few simpler CTFs previously, and the really simple ones were unrewarding, and the harder ones were above my skill level. This is one that I COULD have cracked if I gave it some more time, but no. I did not enjoy putting in the time required to solve it, it's not my thing
Well, we did chose one of the easiest challenges because the harder ones were likely too hard for us ;) I think that would qualify as as noobs, compared to the people solving the really hard challenges ;)
The confusion with the x's isn't cuz of the with statement. The parameter х (U+0445 or 1093) isn't the x from the English alphabet. It is a Cyrillic alphabet which only looks like it. And this input variable was never used in the code except for the last eval() which dynamically generated 'х==c(weird_string,h(х))' referring to our input х. THAT was the beauty of the challenge :P
yeah I was fooled!
They fooled us all lol. Btw since you didn't mention why the browser crashes, it's cuz the for loop in c() runs for a.length times and a regex doesn't have this property making it an infinite loop and crashing the browser due to memory limits. And by this they fooled us not once but TWICE! xD
AHHHHHHHHH. that also explains why they wrote i!=a.length and not i
This trick to use similar (or equal) looking characters is also a vuln. in Windows. (An Example here: ua-cam.com/video/7syW3-zyRO8/v-deo.html)
Kinda wondering, why javascript (and other languages as well) allow non-ansii characters to be used outside of (string) variables.
Oh wow such a interesting challenge, thanks for the insight
Thanks so much for the shoutout, Live Overflow! Hopefully we can do more together sometime soon. :)
hey dude, dont change avatar, people cant find you ...
Lol..10,000 followers back in the day. Good job on the almost 200,000k
@@matthewlandry1352 You have seen his face? lol he looks totally different i was socked.
Wow, if you say you're a total noob I don't know what I am
He is not, just very humble...
Thanks, I guess. But it was in fact one of the easiest challenges during this CTF based on the number of solves ;)
Same lol
Maybe you just took the long way around.
mx xone me too
I love watching these videos. I’m at a stage in life where I kind of understand what is going on, enough to comprehend the logic expressed, but not enough to be able to try this myself.
whenever i feel like im getting the hang of coding i just watch one of these videos so i realize i know nothing again
sigh
I think I was the only one
he's going so fast so it's hard to understand
@@dubelan totally, especially when you are used to watch video on youtube in *1.5time X)
lmao
this some next level thinking and reasoning i am just not ready for. and its scary that there are so many people that can do this and i can barely comprehend it.
Totally agree with you.
Just impressive
lol, so much for 3 years of CS uni
Relax. If I encounter anything even half as complex as this in a codebase I just rip it out and replace it. Fuck trying to debug horrors like this.
It's just learning a new language. Takes practice, but if there's other people that can speak it, so can you.
Nah figuring out stuff like this takes hours and lots of trial and error, it's all just edited out here and only the final conclusions are presented. Watching a guy do "does this work? nah, how about this?" for 4 hours isn't good entertainment
Btw, two "x" are in different encoding.
IDE saves the day :D
When C++ programmers look at Javascript code:
*wtf*
** googles some stuff **
*wtf intensifies*
tm man facts 😂
I don't get it. Is it cuz js is child's play to them?
@@excalibirb9204 No it's because it's insanely dynamic. The opposite of child's play. The programmer has basically no guarantees about the state of the runtime at any specific point in the program, which can make it very hard to debug.
True asf
@@excalibirb9204 No, the joke is that javascript can be really fuckin confusing
I feel incredibly stupid.
This is impressive..who created this is just a genius
This felt like one of those de-obfuscation of pop-under videos. I loved those!
Benjamin Brady agreed we need more like those
1:30 I don't think "JS" and "military grade" are compatible with each other
The recent breaches at some big companies were hackers cleverly injecting 15 lines of JS. Mirai I think it was called. So I'd say it's militant enough. Enough for the FBI to have them snitch and employ them.
Depends on perspective.
Military grade for the person who did NOT write that garbage.
aes-js in node.js
@@peregrinusoblivione4967 It's still pretty horrific at breaching systems. For that there really is no other reliable way bessides C/C++ and Assembly language
mean while I'm coding hello world with some hacker music in the background .
Pavan Kumar lol this cracked me up 😂
@@spidercubed9718
title hacking bank details
"Coccolino" 👈 Best music channel on UA-cam, perfect for coding/programming/hacking...
Thank me later.
Lolz
I just want to thank you for not taking a jab at JS. This Video was really interesting. I was torn between trying it myself first and watching your solution but I'm glad to have watched your video instead.
Same here, joined for a few hours and only solved the noob question :p The argument was not an x but a homograph of x as others also mentioned and that took me a bit to figure out. Also I didn't figure out exactly why the browser hanged but it was so annoying, yet I didn't want to spend time on that. I took the same approach for decryption but heard that there was another way based on low redundancy of the internal variables (a and b). I hope I find time and motivation to look into it soon.
Been lurking your chan for months. Started Beginners quest on this google-ctf now. Never done this before.. Thanks for hooking me up!
lol
I don't know any programming language but love to watch this ;)
I don't have a clue what I've just watched but it was interesting and a pleasure to watch , you are a clever dude .
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit
contact via:::::WHATSAPP>>> wa.me/17472081186
remember a stitch in time saves nine
*The with statement makes it hard for the interpreter to understand how to interpret it* (or something) lmao
I simply love this channel. Hits just my level of programming skills
You sir said you were a noob at this, then I should be an insect lol
I love you videos and im kinda binge watching them
keep up the good work!
awesome, thanks!
Basically to explain 'with' statement, you enter an object to it like:
with( ) {
// CODE HERE
}
then, basically when you call anything, it first checks the block scope if the variable exists, then, the window. Else, it tries the properties of the object you put in. So in theory, this should work.
with (console) {
log("Hello.");
}
Number 1 reading for the next few weeks.
JS: 'with'
MDN: Not even who made this function knows, may be a sentient function
SCP: Hold my containment
This was kind of hard to follow but also easy to understand. Where have you been all my life? Shit, I guess I'm hunting for flags now.
Awesome video! I really enjoy your writeup's video because they are so inspiring, detailed and actually enjoyable to watch!
Great video and great challenge too! Spent quite a few hours before beating it!
i srsly dont understand shit about this but its really cool man keep up the good work
i want to appreciate ur time and dedication towards the efforts by you not related to solving the ctf but the thing not many noticed, which was the ur skills in copying and redrawing the "google capture the flag" logo as your thumbnail XD lol. Seriously how the hell did u do that, which software?
These naming conventions hurt my head
I never got to solve this challenge because I got the length of the hash wrong. But the argument x is not x but a unicode that looks like x, that is why the scoping looks weird :)
The "x" password variable is actually cyrillic small letter (u0445)
However, there exists other "chars", which are interpreted right away and which can be used to obfuscate code, if you use them as actual non-printable "chars" (copied from the char table) instead of (what they're usually used for) as HML entities. Like the RTL mark. I use that to obfuscate source code (browser view source code, but also some IDEs), and while the code is run as it should, it does fool some RegExes used by bots (It's quite effective in anti spamming). The W3C validator, however, is not fooled, that's its only weakness. It throws an error.
From Wikipedia:
_"The right-to-left mark (RLM) is a non-printing character used in the computerized typesetting of bi-directional text containing mixed left-to-right scripts (such as English and Cyrillic) and right-to-left scripts (such as Persian, Arabic, Urdu, Syriac and Hebrew). "_
Back in time, using the RTL mark on email addresses was an easy way of obfuscating, because they were "reversed", when going to the email program, while still bots didn't understand it. This doesn't work anymore though, no email program will accept it today.
John Hammond is such cool guy!
I somehow didn't realize pure RE capture the flag existed until you scrolled past the challenge list
Wowwww. You're pretty good at this! Keep it up with the videos
Great to see a writeup on this once since I participated :)
can you upload a video when a ctf starts? I always miss them
Ritoban Roy Chowdhury thanks
Ritoban Roy ... Thanks!
I think the guys over at JS Safe should really have used a sha256 hash. Then there’s no need for all the anti debugging and it’s also unbreakable (given the current state of technology). Very fun challenge though!
I didn't understand a shit, but I loved it! I subscribed!
This one was so much fun!
Time travel - 90+ solves earlier, then 60th :) nice video
This is highly entertaining to watch
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit
contact via:::::WHATSAPP>>> wa.me/17472081186
remember a stitch in time saves nine
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit
contact via:::::WHATSAPP>>> wa.me/17472081186
remember a stitch in time saves nine
h(s) looks like an Adler-32 checksum
This was cool, I found it interesting that you probably even do not need to debug to pass this challenge lol
How? By opening the source in an IDE \ notepad ++ in the right configuration to notice that the x is different?
Man... my mind is blown... holy smokes...
I have maths exam today at 9:30 Am and I'm sitting here watching this video at 1:30 am for nothing .
this is like mathmatical composition on xanax
Great video!
Are there any similiar websites where you can practice JS by solving similiar tasks (I still feel I’m not ready to join CTF) ?
Any recommendations are welcome.
Great question. I'm looking for a good website too.
I'm watching from Brazil, Congratulations on the content :D
Awesome content as always. Cheers m8!
thank you so much for another amazing video
Love you videos, i'm gradually learning more and more thanks to you ! Your explainations helps me understand the mindset behind these CTF, hopefully with more knowledge and time i'll be able to clear some CTF one day :) Cheers !
Hashing the code, that is great!
13:21 'obviously always repeated'
Can someone please help me in understanding why the 4 byte is being repeated in its use in function c?
i is counting from 0 to the length of the cipher text 'a', right? And each character of that cipher text is addressed with a[i].
The other value (the key) that is being XORed uses b[i%b.length]. Length is 4. So b[i%4].
i modulos 4 means, the result will never be larger than 3... so
1%4 = 1
2%4 = 2
3%4 = 3
4%4 = 0
5%4 = 1
6%4 = 2
So this always references b[0], b[1], b[2], b[3], b[0], b[1], ... so it always repeats the key from the start.
This is how XOR Encryption works.
If your key is smaller than your message, then the key is repeated. :)
Example:
xor("message", "key") ; '^' is the character for XOR Encryption in many languages.
- m ^ k
- e ^ e
- s ^ y
- s ^ k
- a ^ e
- g ^ y
- e ^ k
Thanks for the quick reply, it helped. This was my first ever CTF and this was the first problem I attempted but was struck on it for the whole 2 days on it. Great explanation video :D
Thanks for the quick explanation, I'll be reading more about this :D
0:03 Lol. A photo of John Hammond from when he was a baby hacker.
This just looks like my regular code
lol
Wired CSV is good too :)
They used two different x. You know like the old greek semicolon vs semicolon joke. Whit some fonts you can even see the difference: x(х)
I tried to do this challenge myself, the part with the regexp object was the part I got stuck.
About the with statement:
`var test = {a: () => console.log("Hello local")}; var a = () => console.log("Hello world"); with (test) a();`
outputs "Hello local" as it uses properties in the with statement as first lookup table instead of global scope.
I knew this video is coming :D
I wish I could analyze out the steps like you do.
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit
contact via:::::WHATSAPP>>> wa.me/17472081186
remember a stitch in time saves nine
At first I though you could just use "CTF{" xor the input string to figure out the 4 bytes, but then remembered that that part of the input is ignored.
In how many languages do you programming?
LiveOverflow: *yes*
'll refer you to this pro for SPY/HACK related issues i can swear on my late dads grave he is legit
contact via:::::WHATSAPP>>> wa.me/17472081186
remember a stitch in time saves nine
Mindblow!
I didn't know that JS functions can print it self :D
Tiavor Kuroma function x() {return eval(String(x))}()
I love this content
Oh this problem, took me so long for me to realize why adding console.log kept changing output:/
ah should've used the web debugger instead of spamming console.logs, took me i don't even know how many hours
(btw try dm coll it's quite easy once you found the correct line of code)
No doubt u r the BEST
How do you open the source code for the html
CTRL + U
This is so crazy cool 😱
Eu não poderia simplesmente usar um depurador como GDB + engine do google e então ler os dados de "x" na memória em um ponto que ele está descriptografado?
Could you next time tell us when CTFs are starting/announced and you're participating so that we can follow along?
JoJoModding Check out ctftime.org
When I actually dont understand a single word...
How do you know when to give up and just learn a new feature and how do you know when to just carry on trying things
You are the best :)
Cool challenge!
good idea
Uhh... Yes, I understood everything!
Awesome !!!!
on which websites you can play ctfs without a team? looks like you have to be really into it to compete with something on ctftime.org...
So where I can find this website with crackmes?
Where can I learn all this stuff
Where do you start ?
.
I wanna know that too
He has a video on this. Go watch his web hacking video series. also overthewire.org has very easy ctf games that teach you the basics. Code Academy is the best site out there. Learn basic HTML, then some JS, then choose between either Python or Ruby to go full into. Basic SQL helps. But the best thing you can do is learn the theory behind it all and learn how computers think.
Also be prepared to learn hundreds of Acronyms and be able to quickly memorize long strings of numbers.
12:49 basically nobody in the world knows what it does 🤣🤣🤣
This challenge perfectly summarizes why I can't stand JavaScript. All of these weird rules like how scopes of variables extend to weird places to how you can use non-ASCII symbols that look like ASCII symbols for variable names. You know that your language has issues when even an authoritative documentation like MDN states that one of your builtin syntax statements is too unpredictable to reliably use. You can write bad code in any language, but JavaScript seems like it was specifically designed for spaghetti code. More than half the stuff in this crackme would be literally impossible in almost any other language, because they have rules in place to keep people from writing garbage like this.
If you have a look at the file for this challenge now its quite different!
Maybe time to redo this one?
Hey, can you suggest me an IRC with teams from the current ongoing Google CTF, I would like to chat with likeminded! :)
Just wanted to let you know the point where you messed up is 14:05 . We are beginners here and don't know much, you didn't show the part at 14:05 which was the main thing from my pov.
If this is considered really easy i think i shouldnt even think of pursuing coding
This isn't what I'd call coding. I'd consider myself pretty knowledgeable about Javascript, and I was only barely able to understand everything after it was explained in the video.
crazy man ~~!!!
5:22.9-5:24.7 "And now we can ivnestigate."
I'm an outsider looking in. I tried to figure it out, but as far as I can tell "x" provides the password in hidden and obscured fashion. That of course being the main difficulty. Me having little knowledge of JS I know I would be incapable of solving for "x" assuming my assessment here is correct.
Using greek letter "look a likes" or other alphabeths as substitutes for roman letters is a well known technique for spamming purposes. Disquss had this problem for a period of time, probably because they used some reg ex operations to search for "spammy" words in english, while they wanted to allow for any language (and therefore alphabeth) to be used at the same time.
Look up the UTF-8 table and see for yourself how many letters of other alphabeths are look-a-likes to roman letters.
This is the hebrew letter HET: ח
And this is the english n
They're not the same, but they look the same.
So, JS allows for non ASCII chars in function names, not sure why, but this is used to obfuscate the source code here.
Digging deeper into how languages work, and recognizing, that LTR (Left to Right) is only the standard in english speaking world, you can further obfuscate the code by using *non-printable RTL mark,* which is used in for example arabic. Not sure how it works with JS, but HTML it works, I have placed a few RTL marks in my code strategically. The source code gets completely screwed up and unreadable, as it is shown reversed, but it's run and it works.
This is why I don't trust JavaScript programmers. Shit like this is what nightmares are made of.
In Typescript we trust. All day er' day
How people think Google Employees are: "Oh my God they must be really good at there job since Google hired them and must write code insanely well that a baby could read it"
Google Employees when writing code: "I speak AblaEnglJaIes"
Highly Skilled Programmers: "Ah I see... Keep your secrets to yourself"
Google: "I see your a man of culture"
Text editor?
I took a stab at this myself, and yikes, I gave up after a while, because of the anti debugging measurements. I couldn't figure out what parts were important to the algorithm, and what parts were just anti debugger stuff. Also, this is written almost exclusively using "the bad parts" of javascript, overwriting the function with a string so you can't call it on successions, so I modified the function to be run multiple times to inspect what the hell it did aaaaaand, you guessed it, suddenly the sourcecode wasn't passed into anything anymore. I also couldn't make any sense of the c-function at all. You pass in the 'source' variable as a parameter and it tries to iterate over the length of it, but the source variable is a regexp object. It was a complete mess, I couldn't make sense of anything.
It just goes to show that you need a completely different mindset to figure out a puzzle like this, vs when working with actual code that's meant to be understood. I'm fairly decent at reading and reconstructing minified JS into readable code, but that isn't doing weird stuff with scope, overwriting functions with strings as part of normal operations etc.
I've always wanted to be a hacker, and CTF's seemed like a good place to start. I've done a few trivial ones, but I get frustrated and unable to continue when I hit a wall. This challenge especially just made me realize that I'm not a hacker, I'm a developer.
I'll continue watching these videos, because they're highly educational, interesting and entertaining! And I can use the knowledge you provide to increase my ability to develop secure systems by avoiding pitfalls, but I'm not a "hacker" myself.
CoderCandy Google CTF is especially hard, don’t beat yourself up for being stumped. I like some of the other sites like pwnable.kr, xssgame.com, and cryptopals.com to name a few. These are nice because they have very very simple challenges to start you out with, and there is no time limit. Writeups like this can be deceptive because they’re so short, when in reality the challenge takes many hours to solve.
Yeah, that's what I came to terms with. I don't enjoy beating my head against a problem like this for hours on end. I understand and enjoy the writeups and can learn how to develop more secure systems form them, but I'm not the kind of person who discover the vulnerabilities in the first place. I leave that to people who actually enjoy banging their head against a problem for hours and hours on end for that sweet reward of eventually cracking it.
I've done a few simpler CTFs previously, and the really simple ones were unrewarding, and the harder ones were above my skill level. This is one that I COULD have cracked if I gave it some more time, but no. I did not enjoy putting in the time required to solve it, it's not my thing
What is "foo" I've seen it used a lot as a kind of temporary/test variable
placeholder name
first part of 'bar' ;) google wikipedia to find out more :)
Me:
1st 5mins... yesyesyes
2nd 5mins....wtf
last 5mins... I am going back to my Hello World
> a
b
MATH
did the other flag also work? :)
I like so far
"because we are noobs" stop it!
Well, we did chose one of the easiest challenges because the harder ones were likely too hard for us ;)
I think that would qualify as as noobs, compared to the people solving the really hard challenges ;)
You need to have that mindset to succeed in Cybersecurity!