Project Sekai - ✅-web-pokptcha

POKéPTCHA - 500 points

Category: Web Description: Team Rocket keeps taking down my website! I'm testing out this new type of captcha, but it doesn't seem to be working as expected. None of the choices are valid! Can you solve it for me? Author: umasi, sd NOTE: Flag format is UMDCTF{}, with the correct answer in the brackets. NOTE: Special first blood prize for this challenge! https://pokeptcha.chall.lol/ Files: No files. Tags: No tags.

Sutx pinned a message to this channel. 04/29/2023 10:17 AM

@rubiya wants to collaborate

@Violin wants to collaborate

NOTE: Special first blood prize for this challenge! damn

message.txt

20.16 KB

@sahuang this

11:29

https://pokeptcha.chall.lol/captcha.js

yeah i saw it

11:29

looks like reverse??

maybe

@TheBadGod wants to collaborate

11:30

@zwx风信 wants to collaborate

uses md5

passes the whole file contents to the md5 function, prob checking for modifications

just splits by |, parses ints and then xors by 21?

11:37

Did you solve this? We want to know how. Open a ticket!

lol

POKéPTCHA?

yes, i think so

out.js

6.55 KB

11:41

looks like a vm tbh

so the web part is irrelevant?

i mean this is still web, it's js Kappa

yeah is vm, function pointers are set up, max opcode number is 2 (?)

actually fun vm

how'd you solve js vm, convert to python?

@Legoclones wants to collaborate

sahuang

how'd you solve js vm, convert to python?

still on it

13:08

function(){
    var qIdHpk=stack.pop();
    var j9M=stack.pop();
    j9M.push(qIdHpk)
}

// 4
function(){
    stack.pop()
}

// 5
function(){
    var tJe6k1=stack.pop();
    var ddOS=stack.pop();
    Wqfiqb(ddOS,tJe6k1)
}

// 6
function(){ 
    var PSOb6N=stack.pop();
    stack.push(zDD7Pb(PSOb6N))
}

// 7
function(){
    var jF9F=stack.pop();
    var sA9E=stack.pop();
    stack.push(jF9F-sA9E)
}

// 8
function(){
    stack.push(stack.pop()||stack.pop())
}

// 9
function(){
    stack.push(global)
}

// 10
function(){
    stack.push(null)
}

// 11
function(){
    pc=stack.pop()
}

// 12
function(){
    var OkEsZR=stack.pop();
    var ElaO=stack.pop();
    var bnw2qp=stack.pop();
    stack.push(OkEsZR.apply(ElaO,bnw2qp))
}

// 13
function(){
    stack.push([])
}

// 14
function(){
    var lKj6yX=stack.pop();
    var gkI3Jh=stack.pop();
    var DdxPd2=stack.pop();
    pc=lKj6yX==gkI3Jh?pc:DdxPd2
}

// 15
function(){
    var na6On=stack.pop();
    var bb6=stack.pop();
    stack.push(na6On^bb6)
}

// 16
function(){
    var QtiLR=stack.pop();
    var NZ5hG=stack.pop();
    stack.push(QtiLR%NZ5hG)
}

// 17
function(){
    var CeQp=stack.pop();
    var Bc2P=stack.pop();
    stack.push(CeQp[Bc2P])
}

// 18
function(){
    var agy=stack.pop();
    var X1S=stack.pop();
    stack.push(agy+X1S)
}

// 19
function(){
    var qj27=stack.pop();
    var uzSl=stack.pop();
    stack.push(uzSl>>qj27)
}

// 20
function(){
    var nPqZy=stack.pop();
    var pAtzQ=stack.pop();
    var kWyvR=stack.pop();
    pc=nPqZy!=pAtzQ?kWyvR:pc
}

these are the operations, dunno if the opcodes are correct

13:09

opcodes 0-2 are push, eval, assign

13:09

so im translating to

ops = ["push", "eval", "assign", "append", "pop", "call_Wqfiqb", "weird_thing", "sub", "or", "push_global", "push_null", "goto", "call2", "push_empty_arr", "jne", "xor", "mod", "index", "add", "shr", "je"]

the "call_Wqfiqb", "weird_thing" are probably mem_write and mem_read

i think i just got rc4d

13:48

key = mem[20] = (globalThis || globalThis.window).location.hostname

mem[20] = mem[99].location.hostname + FQgZw.toString(FQgZw, []) + (mem[63].now(mem[63], []) - start_time) / 8
mem[87] = []
mem[87].append(mem[20])
mem[20] = md5(null, mem[87])

(edited)

14:10

TheBadGod

used /ctf solve

✅ Challenge solved.

NICE

Th3_4n5W3R_1s_A_p1gGlyJuFf_S3en_fR0m_480Ve