Tags: coding

Rating: 1.0

# Drive to the target (coding)

Let's go ahead and go to the [website](https://drivetothetarget.web.ctfcompetition.com/) and see what we're dealing with.

Let's give some sample input and see how it behaves.

Looks like when we tamper with the coordinates, it tells us whether we're getting hotter or colder from the target. If we increment by too much, it tells us neither. Looks like the solution is to increment in small steps, and monitor whether we're getting closer to the target or further away. We can move along one axis until it switches on us, and then we can move along the other axis until we get to the target.

Looking at the URL, we notice a token, which seems to be how the program knows where we were before we sent a new request to change our location. Let's go ahead and set up a proxy with something like Burp Suite and monitor outgoing data.

Looking closer, we find that the token sent matches that of the one found in the source of the page.

We now have the solution. We just need to be able to put it into code. We're going to first request an initial state page, where we have not moved. Then, we're going to get the token from the page, and we're going to send a request for a new page in which we have moved by a very small amount of distance. With this request, we're going to send our token so that the new page knows where we originated from. Then, we're going to check the contents of the page to see if we're getting closer or further away from the target location. We're going to continue getting closer until it switches on us, at which we'll take a step back and continue to do the same thing along the alternate axis. We will continue to do this until we arrive at the location.

python
#!/usr/bin/env python3

import bs4
import requests
import sys

def get_coordinates(url):

page = requests.get(url).content
soup = bs4.BeautifulSoup(page, "html.parser")

cLat = float(soup.find("input", attrs={"name": "lat"})["value"])
cLon = float(soup.find("input", attrs={"name": "lon"})["value"])
tken = soup.find("input", attrs={"name": "token"})["value"]
stat = -1 if "away" in soup.text else 0

return [cLat, cLon], tken, stat

def main(args):

if len(args) == 0:
pair, token, stat = get_coordinates(url)
else:
pair, token, stat = get_coordinates(args[0])

done = False
switch = False
before = None

step = 0.0001

while True:

if not switch:
params = "?lat=%.4f&lon=%.4f&token=%s" % (pair[0], pair[1] + step, token)
else:
params = "?lat=%.4f&lon=%.4f&token=%s" % (pair[0] + step, pair[1], token)

try:
pair, token, stat = get_coordinates(url + params)
except:
print(url + params)
quit()

if ( stat == -1 and before == -1 ):
step *= -1

if not switch and ( stat == -1 and before == 0 ):
switch = True
pair[1] -= step
elif switch and ( stat == -1 and before == 0 ):
print(url + params)
quit()

before = stat

print("%.4f, %.4f" % (pair[0], pair[1]), ": Closer" if not stat else ": Further")

if __name__ == "__main__":
main(sys.argv[1::])


This might take a while to run, especially because I'm redoing this challenge for the writeup on coffeeshop Wi-Fi routed through an even slower VPN...

After a while, we finally come to the flag.

## Flag


CTF{Who_is_Tardis_Ormandy}


# Next Stop

We've reached the end. Feel free to go all the way back to [Satellite](https://github.com/shawnduong/ctf-writeups/blob/master/2019-GOOGLE/beginners-quest/day1-satellite.md) and check out the other branch. I'm not too sure why that third branch's challenges aren't accessible.

Anyways, I hope you enjoyed reading these writeups as much as I enjoyed writing them.