Skip to content

NcN 2013 CTF Algeria write up

In this post I will cover a challenge of the No Con Name 2013 CTF driven by the Facebook security team. The challenge is based on a firefox extension which is available here

$ file autologin.xpi 
autologin.xpi: Zip archive data, at least v2.0 to extract
$ 

After unzipping the extension zip, a number of javascript files appears:

$ unzip autologin.xpi 
Archive:  autologin.xpi
  inflating: install.rdf             
  inflating: defaults/preferences/prefs.js  
   creating: locale/
 extracting: locales.json            
  inflating: bootstrap.js            
   creating: resources/
   creating: resources/addon-sdk/
   creating: resources/addon-sdk/data/
   creating: resources/addon-sdk/lib/
   creating: resources/addon-sdk/lib/sdk/
   creating: resources/addon-sdk/lib/sdk/addon/
  inflating: resources/addon-sdk/lib/sdk/addon/runner.js  
  inflating: resources/addon-sdk/lib/sdk/base64.js  
   creating: resources/addon-sdk/lib/sdk/console/
  inflating: resources/addon-sdk/lib/sdk/console/plain-text.js  
  inflating: resources/addon-sdk/lib/sdk/console/traceback.js  
   creating: resources/addon-sdk/lib/sdk/content/
  inflating: resources/addon-sdk/lib/sdk/content/content-proxy.js  
  inflating: resources/addon-sdk/lib/sdk/content/content-worker.js  
  inflating: resources/addon-sdk/lib/sdk/content/thumbnail.js  
  inflating: resources/addon-sdk/lib/sdk/content/worker.js  
   creating: resources/addon-sdk/lib/sdk/core/
  inflating: resources/addon-sdk/lib/sdk/core/heritage.js  
  inflating: resources/addon-sdk/lib/sdk/core/namespace.js  
  inflating: resources/addon-sdk/lib/sdk/core/promise.js  
   creating: resources/addon-sdk/lib/sdk/deprecated/
  inflating: resources/addon-sdk/lib/sdk/deprecated/api-utils.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/cortex.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/errors.js  
   creating: resources/addon-sdk/lib/sdk/deprecated/events/
  inflating: resources/addon-sdk/lib/sdk/deprecated/events.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/events/assembler.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/light-traits.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/list.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/memory.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/observer-service.js  
   creating: resources/addon-sdk/lib/sdk/deprecated/traits/
  inflating: resources/addon-sdk/lib/sdk/deprecated/traits.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/traits/core.js  
  inflating: resources/addon-sdk/lib/sdk/deprecated/window-utils.js  
   creating: resources/addon-sdk/lib/sdk/dom/
  inflating: resources/addon-sdk/lib/sdk/dom/events.js  
   creating: resources/addon-sdk/lib/sdk/event/
  inflating: resources/addon-sdk/lib/sdk/event/core.js  
  inflating: resources/addon-sdk/lib/sdk/event/target.js  
   creating: resources/addon-sdk/lib/sdk/io/
  inflating: resources/addon-sdk/lib/sdk/io/byte-streams.js  
  inflating: resources/addon-sdk/lib/sdk/io/data.js  
  inflating: resources/addon-sdk/lib/sdk/io/file.js  
  inflating: resources/addon-sdk/lib/sdk/io/text-streams.js  
   creating: resources/addon-sdk/lib/sdk/l10n/
  inflating: resources/addon-sdk/lib/sdk/l10n/core.js  
  inflating: resources/addon-sdk/lib/sdk/l10n/html.js  
  inflating: resources/addon-sdk/lib/sdk/l10n/loader.js  
  inflating: resources/addon-sdk/lib/sdk/l10n/locale.js  
  inflating: resources/addon-sdk/lib/sdk/l10n/prefs.js  
   creating: resources/addon-sdk/lib/sdk/lang/
  inflating: resources/addon-sdk/lib/sdk/lang/functional.js  
   creating: resources/addon-sdk/lib/sdk/loader/
  inflating: resources/addon-sdk/lib/sdk/loader/cuddlefish.js  
  inflating: resources/addon-sdk/lib/sdk/loader/sandbox.js  
   creating: resources/addon-sdk/lib/sdk/net/
  inflating: resources/addon-sdk/lib/sdk/net/url.js  
   creating: resources/addon-sdk/lib/sdk/platform/
  inflating: resources/addon-sdk/lib/sdk/platform/xpcom.js  
   creating: resources/addon-sdk/lib/sdk/preferences/
  inflating: resources/addon-sdk/lib/sdk/preferences/service.js  
   creating: resources/addon-sdk/lib/sdk/private-browsing/
  inflating: resources/addon-sdk/lib/sdk/private-browsing.js  
  inflating: resources/addon-sdk/lib/sdk/private-browsing/utils.js  
   creating: resources/addon-sdk/lib/sdk/private-browsing/window/
  inflating: resources/addon-sdk/lib/sdk/private-browsing/window/utils.js  
  inflating: resources/addon-sdk/lib/sdk/self.js  
   creating: resources/addon-sdk/lib/sdk/system/
  inflating: resources/addon-sdk/lib/sdk/system.js  
  inflating: resources/addon-sdk/lib/sdk/system/environment.js  
  inflating: resources/addon-sdk/lib/sdk/system/events.js  
  inflating: resources/addon-sdk/lib/sdk/system/globals.js  
  inflating: resources/addon-sdk/lib/sdk/system/runtime.js  
  inflating: resources/addon-sdk/lib/sdk/system/unload.js  
  inflating: resources/addon-sdk/lib/sdk/system/xul-app.js  
   creating: resources/addon-sdk/lib/sdk/tabs/
  inflating: resources/addon-sdk/lib/sdk/tabs.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/common.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/events.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/helpers.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/namespace.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/observer.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/tab-fennec.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/tab-firefox.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/tab.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/tabs-firefox.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/tabs.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/utils.js  
  inflating: resources/addon-sdk/lib/sdk/tabs/worker.js  
  inflating: resources/addon-sdk/lib/sdk/timers.js  
  inflating: resources/addon-sdk/lib/sdk/url.js  
   creating: resources/addon-sdk/lib/sdk/util/
  inflating: resources/addon-sdk/lib/sdk/util/array.js  
  inflating: resources/addon-sdk/lib/sdk/util/deprecate.js  
  inflating: resources/addon-sdk/lib/sdk/util/list.js  
  inflating: resources/addon-sdk/lib/sdk/util/object.js  
  inflating: resources/addon-sdk/lib/sdk/util/uuid.js  
   creating: resources/addon-sdk/lib/sdk/window/
  inflating: resources/addon-sdk/lib/sdk/window/browser.js  
  inflating: resources/addon-sdk/lib/sdk/window/namespace.js  
  inflating: resources/addon-sdk/lib/sdk/window/utils.js  
   creating: resources/addon-sdk/lib/sdk/windows/
  inflating: resources/addon-sdk/lib/sdk/windows.js  
  inflating: resources/addon-sdk/lib/sdk/windows/dom.js  
  inflating: resources/addon-sdk/lib/sdk/windows/fennec.js  
  inflating: resources/addon-sdk/lib/sdk/windows/firefox.js  
  inflating: resources/addon-sdk/lib/sdk/windows/loader.js  
  inflating: resources/addon-sdk/lib/sdk/windows/observer.js  
  inflating: resources/addon-sdk/lib/sdk/windows/tabs-fennec.js  
  inflating: resources/addon-sdk/lib/sdk/windows/tabs-firefox.js  
   creating: resources/addon-sdk/lib/toolkit/
  inflating: resources/addon-sdk/lib/toolkit/loader.js  
   creating: resources/autologin/
   creating: resources/autologin/data/
   creating: resources/autologin/lib/
  inflating: resources/autologin/lib/main.js  
   creating: resources/autologin/tests/
  inflating: harness-options.json    
$

The JavaScript file resources/autologin/lib/main.js contains some dodgy encoded javascript:

var tabs = require("sdk/tabs");

var loginScript = "[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+
[...]
+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]))()";

tabs.on('ready', function(tab) {
  tab.attach({
    contentScript: loginScript
  });
});
$ 

To resolve this level, the javascript code needs to be deobfuscated. To do it It is only needed to delete the first pair of brackets [] and the last pair of parenthesis () of the obfuscated code contained in the loginScript variable. The variable content must seems like the following excerpt:

var loginScript = "[(![]+[])[+[]]+
[...]
[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]))";

Then just copy+paste the content into the javascript interpreter and that’s it!

["if (document.getElementById('user_pass').value === \"0f97972a0efd34ebb3111ac8ec6976740529df531e94df14d0ee8614a07d153b\") { alert('win'); } else { alert('try again'); }"]
Published inctfhackingprogramming