Bookmarklet (picoCTF 14)

Challenge Author: Jeffery John

Difficulty: Easy

Description

Why search for the flag when I can make a bookmarklet to print it for me?

Process / Notes

  1. Follow the link to the http site
  2. There’s a JavaScript function with an encrypted flag
  3. Viewing the page source
  4. There’s a line that looks like it responds to copying the code to one’s clipboard
  5. Tried moving the JavaScript line into the <scirpt></scirpt> section and that didn’t seem to work
  6. At 15 minutes, checking how to do this
  7. It looks like you paste the JavaScript into the “console” part of the Inspector! It seems I was close but interacting with the wrong area
  8. Warning about running JavaScript you don’t understand, and running malicious code here could be a massive security risk but we trust this source
  9. The flag popped up once the code was run in the console

18 minutes 11 seconds to complete

Hints

  1. A bookmarklet is a bookmark that runs JavaScript instead of loading a webpage
  2. What happens when you click the bookmarklet?
  3. Web browsers have other ways to run JavaScript too

Core Lessons

  1. Understanding what a “bookmarklet” is
  2. Knowing how to run JavaScript in the Page Inspector’s Console
  3. Understanding exactly what a script is doing so you don’t run malicious code