# Web/Fu - BuckEyeCTF 2024

### Overview:

This is a writeup for the BuckEyeCTF 2024 web challenge "fu," hosted by Ohio State University's Cyber Security Club.

The challenge is straightforward—we simply need to view the website's source code.

However, the site blocks common methods of accessing the source code (Ctrl+U, Ctrl+Shift+I, and right-clicking) by using a library called disable-devtool-auto.

```html
<script 
  disable-devtool-auto
  src="<https://cdn.jsdelivr.net/npm/disable-devtool>">
</script>
```

* It detects when developer tools are opened using the `ondevtoolopen` event
* It disables the right-click context menu by default, preventing "Inspect Element"
* It uses a timer to periodically check if dev tools have been opened and closes them
* It can detect common third-party debugging libraries like eruda and vconsole

I used two methods to bypass this restriction.

### Wget:

One method is using wget to download the page and view it offline:

```html
wget <https://fu.challs.pwnoh.io/>
--2024-09-29 00:42:11--  <https://fu.challs.pwnoh.io/>
Resolving fu.challs.pwnoh.io (fu.challs.pwnoh.io)... 3.13.113.230
Connecting to fu.challs.pwnoh.io (fu.challs.pwnoh.io)|3.13.113.230|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2571 (2.5K) [text/html]
Saving to: 'index.html.1'

index.html.1        100%[================]   2.51K  --.-KB/s    in 0s      

2024-09-29 00:42:12 (13.5 MB/s) - 'index.html.1' saved [2571/2571] 
```

Next, use any text editor of your choice. I used mousepad:

```html
mousepad index.html
```

Finally, scroll down to line 76 or search for "bctf{" to find the flag.

![image.png](/files/a75J8THsdfDUh0Ygv2E0)

### Firefox Method:

Alternatively, you can use Firefox's built-in tool to view the source code.

In Firefox, click the three-line menu icon, then select "More tools" > "Page Source".

![image.png](/files/25l4kDYV5QgVaAEYyYjG)

Then Click on page source.

![image.png](/files/2vw7YMd2vreAhHphyHsd)

Then simply search for "bctf{" or navigate to line 76.

![image.png](/files/M5jZoEJUZgpGxdKy5pPq)

Alternatively, for a more fancy approach, you can use Burp Suite's proxy to intercept the request and examine the source code for the flag.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://khizar.gitbook.io/blog/web-fu-buckeyectf-2024.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.