Loved playing Codegate this year, this was a fun challenge, although it went a little quick.
The server was provided in the description:
nc 175.119.158.131 1129
After connecting you get a d8 shell. Looking this up I quickly learned it was a V8 engine javascript shell. Found this and a few helpful commands from this post - http://www.sandeepdatta.com/2011/10/using-v8-javascript-shell-d8.html
After playing around a bit, looking for methods similar to node, I just tried one of the methods listed in the blog post above:
d8> quit(1)
This lead to the unintentional way of solving the challenge, but it was quick and I took it. (Also probably due to my poor ability to read directions right in-front of me)
Here was the result of running the quit command on the server:
quit(1)
Traceback (most recent call last):
File "/home/codegate/wrapper.py", line 14, in
p.expect("d8>")
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 315, in expect
timeout, searchwindowsize, async)
File "/usr/local/lib/python2.7/dist-packages/pexpect/spawnbase.py", line 339, in expect_list
return exp.expect_loop(timeout)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 102, in expect_loop
return self.eof(e)
File "/usr/local/lib/python2.7/dist-packages/pexpect/expect.py", line 49, in eof
raise EOF(msg)
pexpect.exceptions.EOF: End Of File (EOF). Exception style platform.
command: /usr/bin/v8/d8
args: ['/usr/bin/v8/d8', '--shell', '/home/codegate/cg.js']
searcher: None
buffer (last 100 chars): ''
before (last 100 chars): ' quit(1)\r\n'
after:
match: None
match_index: None
exitstatus: 1
flag_eof: True
pid: 13615
child_fd: 5
closed: False
timeout: 30
delimiter:
logfile: None
logfile_read: ', mode 'w' at 0x7fbc2021d150>
logfile_send: None
maxread: 2000
ignorecase: False
searchwindowsize: None
delaybeforesend: 0.05
delayafterclose: 0.1
delayafterterminate: 0.1
Ahhh! What a useful traceback, Thank You D8! This makes the challenge a lot easier :D
We can see the executed script for the challenge is:
args: ['/usr/bin/v8/d8', '--shell', '/home/codegate/cg.js']
or
/usr/bin/v8/d8 --shell /home/codegate/cg.js
So let's check out that file if we can by reading it in d8!
d8> read("/home/codegate/cg.js")
read("/home/codegate/cg.js")
"function js_challenge(flag) {
return function(arr) {
var random_value = "ac1a39300ce7ee8b6cff8021fd7b0b5caf5bc1c316697bd8f22e00f9fab710d6b8dba23ca80f6d80ca697e7aa26fd5f6";
var check = "20150303";
if((arr === null || arr === undefined)) {
print("arr is null or undefined.");
return;
}
if(!arr.hasOwnProperty('length')) {
print("length property is null or undefined.");
return;
}
if(arr.length >= 0) {
print("i think you're not geek. From now on, a GEEK Only!");
return;
}
if(Object.getPrototypeOf(arr) !== Array.prototype) {
print("Oh.... can you give me an array?");
return;
}
var length = check.length;
for(var i=0;i<length;i++) {
arr[i] = random_value[Math.floor(Math.random() * random_value.length)];
}
for(i=0;i<length;i++) {
if(arr[i] !== check[i]) {
print("Umm... i think 2015/03/03 is so special day.\nso you must set random value to 20150303 :)");
return;
}
}
print("Yay!!");
print(flag);
}
}
var challenge100 = js_challenge('flag is \"easy xD, get a more hardest challenge!\"');
print("[JavaScript Jail]")
print("let start to type on 'challenge100'")
"
Flag!
easy xD, get a more hardest challenge!
The flag doesn't lie, as we can see in the source of the challenge, it wouldn't have been that bad the other way either. But still a lot easier just reading the source!
And even though it was the simple route, still had a lot of fun playing around in d8, learning new things and finding a flag.
