Web/Fu - BuckEyeCTF 2024

A writeup for the BuckEyeCTF 2024's Fu Challenge in the web section.

Overview:

This is a writeup for the BuckEyeCTF 2024 web challenge "fu," hosted by Ohio State University's Cyber Security Club.

The challenge is straightforward—we simply need to view the website's source code.

However, the site blocks common methods of accessing the source code (Ctrl+U, Ctrl+Shift+I, and right-clicking) by using a library called disable-devtool-auto.

<script 
  disable-devtool-auto
  src="<https://cdn.jsdelivr.net/npm/disable-devtool>">
</script>

It detects when developer tools are opened using the ondevtoolopen event
It disables the right-click context menu by default, preventing "Inspect Element"
It uses a timer to periodically check if dev tools have been opened and closes them
It can detect common third-party debugging libraries like eruda and vconsole

I used two methods to bypass this restriction.

Wget:

One method is using wget to download the page and view it offline:

wget <https://fu.challs.pwnoh.io/>
--2024-09-29 00:42:11--  <https://fu.challs.pwnoh.io/>
Resolving fu.challs.pwnoh.io (fu.challs.pwnoh.io)... 3.13.113.230
Connecting to fu.challs.pwnoh.io (fu.challs.pwnoh.io)|3.13.113.230|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2571 (2.5K) [text/html]
Saving to: 'index.html.1'

index.html.1        100%[================]   2.51K  --.-KB/s    in 0s      

2024-09-29 00:42:12 (13.5 MB/s) - 'index.html.1' saved [2571/2571]