Navigating to the mission we can see a password input form. There isn’t much more information than that other than the title and a thank you message to the creator. If we submit test data to the password input form then we will get an incorrect error message. In order to see what’s going on, we need to view the page source of the application.
As you can see from the image below, the script appears to be garbled data. It’s all X’s followed by two-digit numbers. We could attempt to decode it online but there is a far easier solution. All we need to do is to right-click the Check Password button and inspect the functionality behind that.
I’m sure the developers didn’t intend for this mission to be this easy. I fully believe that they wanted us to deobfuscate the code. So for that reason, the screenshot below shows me deobfuscating the code using the GCHQ tool CyberChef. As you can see from the screenshot, the output shows the button value with the password.
moo = "pwns";
rawr = "moo";
So that’s all we need to do to solve the mission. Submit ‘moo pwns‘ as the password and you should complete the mission. Congratulations.
In order to decode the string, we can use our favorite Government developed decoding tool, CyberChef. Surprisingly, CyberChef works really well considering it came from the public sector (please don’t arrest me). As can be seen from the image below, the interface is simple. You choose a recipe, then paste in your encoded text, and then it works its magic and decodes it for you. It even has a magic recipe that will automatically detect what you’re inputting. It really is a great application.
As shown above, the decoded text turns out to be ‘ilovemoo‘. If you submit that to the password form then you should complete the mission.
The mission is called Var which we can deduce means we’re going to be working with variables again. As can be seen from the image below, the message reads “Faith is trying to trick you… she knows that you’re tired after all the math works”. To sum up, Faith is going to going to attempt some shinanigans to prevent us from completing this mission. We can test the form with random data to see what happens but as expected, we just get an alert informing us that it is incorrect.
If we inspect the page we can see the script that is powering the functionality. This is where the first deception comes in. If you view the page source instead of inspecting the element, you may not notice that the first variable is being set. The image below shows that the first variable is being set on the far right. It’s probably a bit to small to see though.
The value of ‘RawrRawr‘ is still moo, let’s see what the script does next. The script has an if statement that compares ‘x‘ to an empty value between two speech marks plus the value of ‘RawrRawr‘. So in essence, the script is checking the value of ‘x‘ against nothing plus ‘moo‘ as ‘moo‘ was set earlier. Therefore, the password to complete the mission should be moo. Input that in to the box and click submit to score.
Looking at the code below we can see that we need to submit a password that is the same length as the value of the variable ‘moo‘. We know this because of the if statement that requires ‘x.length == moo‘ for us to get the alert that we have won the mission. In order to get the value of ‘moo‘, we need to perform some calculations to work out the value.
Ok, let’s break down the maths.
The value of ‘foo‘ is 47 Because of the BODMAS calculation 6 * 7 + 5.
The value of ‘bar‘ is 7 Because it’s the Modulus remainder of 47 divided by 8
Therefore, the value of ‘moo‘ is 14 because the value of ‘bar‘ is 7 and the value of ‘moo‘ is ‘bar‘ * 2.
We can discard the value of ‘rar‘ because ‘rar‘ is not used anywhere during the calculation. Therefore, we are left with the value 14. We know that the password submission form requires our input to be the same length as ‘moo‘. In essence, we should be able to submit any 14 characters to complete the mission.
After submitting 14 characters to the password submission form, you should complete the challenge. That’s all there is to it. However, if you don’t know about BODMAS, which I didn’t, and if you didn’t know that a percentage sign in programming means Modulo or remainder then it could be difficult.
Now that it’s disabled, we can head back to the mission and click the ‘here’ hyperlink to take the mission. This time you shouldn’t see an error. You should see another link that says “Click here to win”. Click that link and you should then see the image below congratulating you on completing the challenge.
There isn’t much to say about this one honestly. It’s a good mission to teach the user how to disable and enable client-side scripting in your browser. Client-side scripting is responsible for a number of attacks like Cross-Site Scripting (XSS) and when combined with other vulnerabilities can cause a lot of problems. Anyway, I’ve passed this post out as much as possible but there isn’t much more I can say so… thanks for reading.
Bribing With Cookies
In order to pass this mission, all we need to do is submit the value cookies into the password submission form. Yes, it really is that simple and could be completed without even understanding the code. So, input the word cookies in to the password submission form and click submit.
As promised, upon doing so you will receive a pop-up box claiming that you win.