Writeup for Insp3ctor @picoCTF
Shamal Lakshan

Insp3ct0r

Insp3ct0r

| 50 points

Tags: Category: Web Exploitation

AUTHOR: ZARATEC/DANNY

Description

Kishor Balan tipped us off that the following code may need inspection: https://jupiter.challenges.picoctf.org/problem/44924/ (link) or http://jupiter.challenges.picoctf.org:44924

Code from viewing the source

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<!doctype html>
<html>
<head>
<title>My First Website :)</title>
<link href="https://fonts.googleapis.com/css?family=Open+Sans|Roboto" rel="stylesheet">
<link rel="stylesheet" type="text/css" href="mycss.css">
<script type="application/javascript" src="myjs.js"></script>
</head>

<body>
<div class="container">
<header>
<h1>Inspect Me</h1>
</header>

<button class="tablink" onclick="openTab('tabintro', this, '#222')" id="defaultOpen">What</button>
<button class="tablink" onclick="openTab('tababout', this, '#222')">How</button>

<div id="tabintro" class="tabcontent">
<h3>What</h3>
<p>I made a website</p>
</div>

<div id="tababout" class="tabcontent">
<h3>How</h3>
<p>I used these to make this site: <br/>
HTML <br/>
CSS <br/>
JS (JavaScript)
</p>
<!-- Html is neat. Anyways have 1/3 of the flag: picoCTF{tru3_d3 -->
</div>

</div>

</body>
</html>

Here we can find a part of the flag in a comment

1
picoCTF{tru3_d3

By going to the inspector(ctrl+shift+i) —> Sources Tab —> mycss.css, We can find the part 2/3 of the flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
div.container {
width: 100%;
}

header {
background-color: black;
padding: 1em;
color: white;
clear: left;
text-align: center;
}

body {
font-family: Roboto;
}

h1 {
color: white;
}

p {
font-family: "Open Sans";
}

.tablink {
background-color: #555;
color: white;
float: left;
border: none;
outline: none;
cursor: pointer;
padding: 14px 16px;
font-size: 17px;
width: 50%;
}

.tablink:hover {
background-color: #777;
}

.tabcontent {
color: #111;
display: none;
padding: 50px;
text-align: center;
}

#tabintro { background-color: #ccc; }
#tababout { background-color: #ccc; }

/* You need CSS to make pretty pages. Here's part 2/3 of the flag: t3ct1ve_0r_ju5t */

Part 2/3 of the flag

1
t3ct1ve_0r_ju5t

By going to the inspector(ctrl+shift+i) —> Sources Tab —> myjs.js, We can find the part 3/3 of the flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
function openTab(tabName,elmnt,color) {
var i, tabcontent, tablinks;
tabcontent = document.getElementsByClassName("tabcontent");
for (i = 0; i < tabcontent.length; i++) {
tabcontent[i].style.display = "none";
}
tablinks = document.getElementsByClassName("tablink");
for (i = 0; i < tablinks.length; i++) {
tablinks[i].style.backgroundColor = "";
}
document.getElementById(tabName).style.display = "block";
if(elmnt.style != null) {
elmnt.style.backgroundColor = color;
}
}

window.onload = function() {
openTab('tabintro', this, '#222');
}

/* Javascript sure is neat. Anyways part 3/3 of the flag: _lucky?f10be399} */

Part 3/3 of the flag

1
_lucky?f10be399}

Wraping it all up !

Final Flag

1
picoCTF{tru3_d3t3ct1ve_0r_ju5t_lucky?f10be399}