Web/Fu - BuckEyeCTF 2024
A writeup for the BuckEyeCTF 2024's Fu Challenge in the web section.
Overview:
This is a writeup for the BuckEyeCTF 2024 web challenge "fu," hosted by Ohio State University's Cyber Security Club.
The challenge is straightforward—we simply need to view the website's source code.
However, the site blocks common methods of accessing the source code (Ctrl+U, Ctrl+Shift+I, and right-clicking) by using a library called disable-devtool-auto.
<script
disable-devtool-auto
src="<https://cdn.jsdelivr.net/npm/disable-devtool>">
</script>It detects when developer tools are opened using the
ondevtoolopeneventIt disables the right-click context menu by default, preventing "Inspect Element"
It uses a timer to periodically check if dev tools have been opened and closes them
It can detect common third-party debugging libraries like eruda and vconsole
I used two methods to bypass this restriction.
Wget:
One method is using wget to download the page and view it offline:
wget <https://fu.challs.pwnoh.io/>
--2024-09-29 00:42:11-- <https://fu.challs.pwnoh.io/>
Resolving fu.challs.pwnoh.io (fu.challs.pwnoh.io)... 3.13.113.230
Connecting to fu.challs.pwnoh.io (fu.challs.pwnoh.io)|3.13.113.230|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2571 (2.5K) [text/html]
Saving to: 'index.html.1'
index.html.1 100%[================] 2.51K --.-KB/s in 0s
2024-09-29 00:42:12 (13.5 MB/s) - 'index.html.1' saved [2571/2571] Next, use any text editor of your choice. I used mousepad:
mousepad index.htmlFinally, scroll down to line 76 or search for "bctf{" to find the flag.
Firefox Method:
Alternatively, you can use Firefox's built-in tool to view the source code.
In Firefox, click the three-line menu icon, then select "More tools" > "Page Source".
Then Click on page source.
Then simply search for "bctf{" or navigate to line 76.
Alternatively, for a more fancy approach, you can use Burp Suite's proxy to intercept the request and examine the source code for the flag.
Last updated