Rating:
Check out my super safe website! Enter the password to get the flag
Author: Andrew
We're given a simple website with an input. Here's the interesting parts of main.js:
const fetchWASMCode = () => {
return new Promise((res, rej) => {
const req = new XMLHttpRequest();
req.onload = function () {
res(req.response);
}
req.onerror = (err) => {
console.warn('If you\\'re seeing this logged, something broke');
rej(err)
}
req.open("GET", "./code.wasm");
req.responseType = "arraybuffer";
req.send();
});
};
const input = document.querySelector('input#password');
const response = document.querySelector('p#response-text');
document.querySelector('button').addEventListener('click', () => {
if (wasm) {
const memory = new Uint8Array(wasm.instance.exports.memory.buffer);
memory.set(new TextEncoder().encode(input.value + "\x00"));
const resultAddr = wasm.instance.exports.checkPassword(0);
const end = memory.indexOf(0, resultAddr);
response.innerText = "Response: " + new TextDecoder().decode(memory.subarray(resultAddr, end));
} else {
response.innerText = "Please try again in a few seconds";
}
}, 1);
In the second chunk you can see that wasm.instance.exports.checkPassword is called. In the first chunk you can see that it comes from ("GET", "./code.wasm"). I hexdump'd the wasm, and found the flag in plaintext (it would also be found in strings...).
For completeness: When the user enters WASMP4S5W0RD, an element will be added below with Response: bcactf{w4sm-m4g1c-xRz5}
Flag: bcactf{w4sm-m4g1c-xRz5}
