Spot the Difference: File Obfuscation
The BroncoCTF 'Spot the Difference' challenge presented participants with two text files, file1.txt and file2.txt. At first glance, these files appear identical, each containing a long, seemingly random sequence of characters, digits, and symbols, with one character per line. The core of the challenge was a hint: one file had been "updated" to smuggle a message within its content.
Initial reconnaissance involved comparing the files directly. A common technique for this is using the paste command to align the files line by line, followed by nl (number lines) to easily identify discrepancies. This method quickly revealed that while most lines were identical, a small number differed. The challenge then became identifying these differing lines and determining how they encoded the hidden message.
The method for finding the differences is straightforward. By piping the output of paste file1.txt file2.txt to nl, one can visually scan the output or pipe it further into tools like grep or awk to isolate the lines where the characters in the two columns do not match. The challenge implies that these differing characters, or the lines they appear on, form the basis of the smuggled message. The exact nature of the message and its encoding would depend on the specific characters or line numbers that were altered.
Unblur Me: Web Quiz Automation
The 'Unblur Me' challenge at BroncoCTF involved a web page hosted at https://broncoctf-unblur-me.chals.io/. This page presented a "Calculus Review" quiz with the stated goal of solving 500 derivative problems consecutively. The interface showed a progress counter, starting at 0 out of 500. A blurred image was visible, and the promise was that successfully completing the quiz would unblur this image, revealing a secret.
The critical aspect of this challenge is the mechanism by which the image is unblurred. The description indicated that solving 500 derivatives correctly in a row would trigger JavaScript to remove a CSS blur() filter applied to the image. The immediate suspicion for any CTF participant is whether this gate is truly enforced server-side or if it's a client-side check. Legitimate completion would be a tedious and error-prone task, making it highly probable that an automated or bypass method is intended.
Reconnaissance typically begins with fetching the page source using tools like curl. Analyzing the HTML, CSS, and JavaScript would reveal how the quiz is presented and how the progress is tracked. In this case, the challenge description explicitly mentions that getting a single answer wrong resets the counter to 0. This reinforces the idea that the difficulty lies in the tediousness of the task rather than the complexity of the calculus problems themselves.
The core of bypassing such a challenge often involves identifying if the derivative generation and validation logic resides entirely within the browser's JavaScript. If it does, an attacker could potentially manipulate the JavaScript execution, directly set the progress counter to 500, or automate the submission process. This could involve using browser automation tools like Selenium or Puppeteer, or by directly interacting with the JavaScript functions responsible for generating problems and checking answers. The goal is to bypass the client-side gatekeeper and trigger the unblurring mechanism without performing the 500 required actions manually.
The actual solution likely involves inspecting the page's JavaScript code to find the functions responsible for generating derivative problems and validating answers. Once these functions are identified, one could either automate calls to the validation function with correct answers or directly manipulate the state variable tracking the user's progress. The challenge highlights the common CTF trope of client-side validation being a weak point, encouraging participants to look beyond the obvious user interface and into the underlying code.
