Juniors CTF 2016 :: Six Strange Tales

hey what's going on everybody my name is John Hammond welcome back another YouTube video still showing off the junior CTF which was going on this past weekend um and uh this in this video I want to show off that six Strange Tales web challenge so it was worth 500 points initially and all of them keep fluctuating because of how they're keeping track of the scores um but the six Strange Tales um a lot of the CTF is based off of the Gravity Falls show as I think just a pun or a joke for that I don't know that's just what they tried to theme the CTF off of uh so regardless I'm showing it off the challenge prompt here is no real prompt just some weird cryptic messages but it says Grunkle stand what's the secret of the six-fingered hand um which I guess is the Grunkle stand character he has six fingers uh can you see these codes when the six F hand touches them when the groudy Falls gets opens how should we read the secret left to right right to left maybe upside down blah blah blah um so this is what we are presented and it's not an image or at least we can't click on it or like view anything can I view image okay cool I can view image sweet um oh God I closed the page my bad little control W doing a little preemptive stuff with the control W let's get back to it access token all right now we're back in Action sorry about that hiccup didn't mean to hit control W there I thought it created a new tab for me so this is it and how do we read this from left to right or right to left this all looks like like a bunch of text that it doesn't look like a cipher it doesn't look like any B 64 things or anything and OB it's kind of hard for us to copy and paste it anyway because it's an image um however this is again a web challenge so I wanted to view the source of this web page and challenge prompts flag here which is apparently some red herring which pissed me off because I like submitted this I submitted it with quotes I submitted it as flag equals and all this and that again was not the flag you could keep submitting this like until the cows come home but it did it didn't do anything um and we all yelled at it on the telegram like the RC Channel that they set up for it and it just was bad okay I see this JavaScript here though and this JavaScript is what pequs your interest because this image that they take the source of is the image that is displayed right that's that's that oh I can actually control you so it draws this and loads it and I noticed this test here if my user agent is Gravity Falls and I tried to set this up I try to just copy that user agent and then I open up tamper data to try and view this page again so I would start the tamper uh get my thing here and I'd go and change my user agent to Gravity Falls hit okay uh I do it for all the other following ones just to like I because I just wanted to make sure that it would actually go through even with like Google's weird things so i t temper through all of those Google fonts and stuff that they needed to grab but there's no change in the image when I thought there should have been considering it's supposed to replace what I'm assuming is the color to like one five like it's replacing all these zeros with a 1.5 Jazz so regardless that did that didn't really work for me so what I ended up doing was I actually just copied this script and recreated it actually yeah I'll take the whole canvas because that's really what we need here and I'll fire up Sublime Text bring this down and what I did is I had created a Juniors yeah recreation. HTML and Firefox Recreation once we viewed this I pretty much got the image again so I recreated it okay now I can actually remove that JavaScript line to test if my user agent is Gravity Falls refresh the page now okay so now it does it so I just kind of forced JavaScript hey completely to regard that conditional for some reason it wasn't working when I tried to change the user agent so whatever let's just skip it um I'll bring this down back sorry now I have these strings here and I have six strings one two three four five six and I'm assuming I'm assuming this is our flag really really hoping so uh what I did is I concatenated them I tried them with spaces I tried them without spaces um I thought it was a joke in that how should should we read these from left to right or right to left I tried all six of them from right to left I tried all the characters reversed reversed from right to left and then I tried it upside down you know like maybe reading vertically this thing starting first and then this and then this and then this and flipping that like reverse again with reverse characters and all of that stuff the fault that I had was because this was an image when I'm hand typing them all out I literally just Tred to translate it um I'll showcase what what I have here uh what's it called it was called uh six fingered hands right yeah I had these pieces but my o was a zero because I had to type it by hand I had the wrong like hand like translation which was stupid and dumb and I was really really pissed off that it took literally forever to get that but that was the problem all you had to do was remove the spaces and it's in it's in the correct order already but because you had to like hand copy it you couldn't type this out unless I mean you could try and do this with tesak to automate it again it would have issues and there's already so much other that's visible here because of all these other like grade out things it was just really hard and dumb and obviously I'm still salty about it but that ended up being the flag you would submit that and 500 400 points Point whatever the case may be um however it was very cryptic and uh you know a little bit of a a strange Challenge from the six Strange Tales so that's it though I wanted to show it off to you guys that was the solution um what I did was just taking out that conditional in the JavaScript getting it to actually highlight these things for me and then uh making sure I had the correct zeros and O's and all the numbers the actual translation correct and removing the spaces and they're concatenated that is our flag again no flag format so you know all right thanks for watching guys hope you enjoyed this one and uh I'll be showing off some of the other challenges as we as we move along here the Lost Code so cool see you in the next video