WiCYS CyberStart (Tokyo) Challenge 2
NOTE: There is a Gitbooks version of the same challenge walkthrough written by me. You can go ahead and check it out!
Briefing L02 C02
Spinlock
A large bank has refitted all of their vaults with the new SpinLock Extreme. As fancy as it sounds we believe it has a rather critical vulnerability, one we think the Yakoottees have been exploiting in a series of recent bank robberies.
The physical vault itself requires a special keycard to be inserted which, after checking the authenticity of the card, re-aligns the circular locking mechanism to unlock it and updates the interface to show it’s unlocked. However, we believe that the organisation has been remote accessing the interface on the vault, and unlocking the vault by doing it in reverse: getting the interface to unlock, which unlocks the physical vault itself. If we can confirm the method, we’ll be one step closer to understanding how this cyber gang operates!
Tip: Unlock the vault to get the flag.
Proceeding to challenge 2, we are met with this awesome-looking spinlock
What we can see is the circulating halo around the horizontal bar. Our objective is to make the red circle reach the middle of the halo.
I was pretty confused and stumped on how to proceed.
Having a look at the source code, we can see some Javascript code here
Admittedly, I was not able to progress from this challenge on my own, so took help from this online forum
The solution to crack the lock
What you need to do is to Right Click ->‘Inspect Element’ and then go to the Console
Type in these commands
turnCircle(“one”, -4)
turnCircle(“two”, -4)
turnCircle(“three”, -4)
What are we doing here?
This challenge contains a few bad practices which make the “Spinlock Extreme” bank vault not a secure solution and so vulnerable.
It contains unobfuscated and even well commented JavaScript, easily found in the source of the webpage. A hacker can easily find, read and use this function, which is likely what the Yakoottees found and so made use of. Even worse, being a client side only security solution for authorisation tends to be a bad practice, as code can be tampered with (as is happening here), to bypass security logic; server side authotisation should be made of and it isn’t here.
So to sum up the vulnerabilites — unobfuscated, easily found and understandable JavaScript, used for security logic with no server side component.
Trying to invoke the turnCircle function, we are trying to unlock the spinlock, aided with the degree measurement.
Flag Capture
Doing so will unlock the spinlock and we will get our flag
Flag — GQAfbpYwacpgqPrI9KXa
We have 800 points racked up on the leaderboard. Onward ahoy to the next challenge!