Web/Fu - BuckEyeCTF 2024

A writeup for the BuckEyeCTF 2024's Fu Challenge in the web section.

Overview:

This is a writeup for the BuckEyeCTF 2024 web challenge "fu," hosted by Ohio State University's Cyber Security Club.

The challenge is straightforward—we simply need to view the website's source code.

However, the site blocks common methods of accessing the source code (Ctrl+U, Ctrl+Shift+I, and right-clicking) by using a library called disable-devtool-auto.

<script 
  disable-devtool-auto
  src="<https://cdn.jsdelivr.net/npm/disable-devtool>">
</script>
  • It detects when developer tools are opened using the ondevtoolopen event

  • It disables the right-click context menu by default, preventing "Inspect Element"

  • It uses a timer to periodically check if dev tools have been opened and closes them

  • It can detect common third-party debugging libraries like eruda and vconsole

I used two methods to bypass this restriction.

Wget:

One method is using wget to download the page and view it offline:

wget <https://fu.challs.pwnoh.io/>
--2024-09-29 00:42:11--  <https://fu.challs.pwnoh.io/>
Resolving fu.challs.pwnoh.io (fu.challs.pwnoh.io)... 3.13.113.230
Connecting to fu.challs.pwnoh.io (fu.challs.pwnoh.io)|3.13.113.230|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2571 (2.5K) [text/html]
Saving to: 'index.html.1'

index.html.1        100%[================]   2.51K  --.-KB/s    in 0s      

2024-09-29 00:42:12 (13.5 MB/s) - 'index.html.1' saved [2571/2571] 

Next, use any text editor of your choice. I used mousepad:

mousepad index.html

Finally, scroll down to line 76 or search for "bctf{" to find the flag.

image.png

Firefox Method:

Alternatively, you can use Firefox's built-in tool to view the source code.

In Firefox, click the three-line menu icon, then select "More tools" > "Page Source".

image.png

Then Click on page source.

image.png

Then simply search for "bctf{" or navigate to line 76.

image.png

Alternatively, for a more fancy approach, you can use Burp Suite's proxy to intercept the request and examine the source code for the flag.

Last updated