1. Challenge Information
I made a simple webpage that checks whether the flag is correct... Wait, where are the flag-checking functions?
2. Exploitation
-
Inspect the Page:
- Upon inspecting the webpage, there’s an empty or seemingly empty JavaScript block.
- There’s also a link to an X post: Link. This post introduces the concept of hiding JavaScript code using the Hangul Filler character (
\\u3164).
-
Invisible Code Concept:
- The JavaScript code relies on the
\\u3164character, which is an invisible Hangul Filler character, to hide the flag-checking logic. - The
withblock is used to access properties formed by sequences of\\u3164. The length of these sequences represents the binary value of the ASCII character.
- The JavaScript code relies on the
-
Proxy and Property Access:
- A
Proxyobject is used to intercept the property accesses within thewithblock. - Every time a property is accessed, the
Proxycounts the number of\\u3164characters in the property name. The number of characters corresponds to an ASCII value:- For example, if there are 65
\\u3164characters in a sequence, it represents 65 (in decimal) or01000001in binary, which corresponds to the letter "A" in ASCII.
- For example, if there are 65
- A
-
Building JavaScript Code:
- The
Proxycontinues to collect these binary values with each property access. These bits are gathered until a complete JavaScript command is formed. - Once enough data is collected, the Proxy evaluates the constructed command using
eval().
- The
-
Decoding the Data:
-
To view the constructed JavaScript code in the console, type the following:
f += String.fromCharCode(p[0] << 4 | p[1]);
-