Clay
Clay Identify, educate, empower, and inspire technical talent to solve the biggest challenges

picoCTF - Insp3ct0r with Jupyter

picoCTF - Insp3ct0r with Jupyter

I am experimenting with Juypter notebooks for solving CTF problems. Here is a notebook converted to a blog entry. You can find the original Jupyter Notebook file here

Problem Statement

Kishor Balan tipped us off that the following code may need inspection: https://2019shell1.picoctf.com/problem/63975/ or http://2019shell1.picoctf.com:63975

Solve

First we will import the functionality we will need for this challenge. Requests will allow us to easily talk to the webserver and BeautifulSoup will allow us to work with the HTML code that is the webserver provides us.

1
2
3
import requests
from bs4 import BeautifulSoup as bs
from bs4 import Comment

We will create a session object, get our URL for the challenge, initialize an empty flag, and get the main page.

1
2
3
4
s = requests.session()
url = 'https://2019shell1.picoctf.com/problem/63975/'
flag = ""
r = s.get(url)

Now that we have the base webpage’s source code in our request object r, we will build see if there is a flag in our source.

1
[line for line in r.text.split('\n') if 'flag' in line]
1
['\t<!-- Html is neat. Anyways have 1/3 of the flag: picoCTF{tru3_d3 -->']

So we have a comment with that tells us the flag will be in parts. Seems that we have part 1. Lets creat a regular expression based on this, that may help us find the rest of the pieces.

1
2
from re import compile
patt = compile('flag: ([\w{}_?]*) ')

We have the source code for the site, lets build a BeautifulSoup object so we can grab that comment.

1
soup = bs(r.text,features="html.parser")

Since our regular expression has the a capture group defined, we will just grab that chunk from our comments and add them to our flag.

1
2
3
m = patt.findall(r.text)
if m:
    flag += m[0]

We will now grab all the hyperlinks from our soup object, and see if we have any pieces of the flag there.

1
2
3
4
5
htmls = ""
for link in soup.findAll('link'):
    r = s.get(url + link['href'])
    htmls += r.text
[line for line in htmls.split('\n') if 'flag' in line]
1
["/* You need CSS to make pretty pages. Here's part 2/3 of the flag: t3ct1ve_0r_ju5t */"]

Now we will grab that piece of the flag and add it to flag variable.

1
2
3
4
5
for link in soup.findAll('link'):
    r = s.get(url + link['href'])
    m = patt.findall(r.text)
    if m:
        flag += m[0]

Another place to look are any javascript files that might exist. So we will check anything from a script tag.

1
2
3
4
5
js = ""
for script in soup.findAll('script'):
    r = s.get(url + script['src'])
    js += r.text
[line for line in js.split('\n') if 'flag' in line]
1
['/* Javascript sure is neat. Anyways part 3/3 of the flag: _lucky?d3db9182} */']

Now we will grab that final piece of the flag and append to our flag variable

1
2
3
4
5
for script in soup.findAll('script'):
    r = s.get(url + script['src'])
    m2 = patt.findall(r.text)
    if m2:
        flag += m2[0]

And now we can check out final flag. Looks good to me.

1
flag
1
'picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?d3db9182}'

comments powered by Disqus