team-logo
Published on

WHY2025 CTF - WHY2025 CTF TIMES, Bonito Blog

Authors

Introduction

Writeup for two challenges from WHYCTF 2025. More info about CTF here

Table of contents

WHY2025 CTF TIMES

times
The app greets us with some popup messages: welcomePage
We can totally ignore them and start with some basic recon.
In DevTools, I checked the Debugger tab, where I found a file named paywall.min.js.
It turned out to be a heavily obfuscated JavaScript script: paywallScript

I searched for the keyword flag and found this interesting fragment:

line3 = 'flag{2d582' + _0x24ce68( - 481, - 440, 64, - 187) + '5d2658a14a' + _0x96e7e8( - 12, 110, 17, - 271),

I wanted to copy that line and paste it into the Console tab, executing each resolver _0x24ce68(-481, -440, 64, -187) one by one to reveal the strings. However, it turned out that I could simply paste the whole line3 expression into the console to get the full flag instantly.

time-flag

My original plan was to check it piece by piece, but the previous method turned out to be faster ;)

_0x24ce68( - 481, - 440, 64, - 187)
"cd42552e76"

Bonus

Link to paywall.min.js
paywall.min.js.zip

Bonito Blog

blogpost
This time, the app welcomed us with posts added by the challenge authors and other users. blogpostwelcome
The most interesting post was the admin's post, which contained some hints about restricted pages.
adminpost

There was also a register option. After registering, we were able to create our own post.
To do this, we needed to open one of the existing posts and click the Create a blog post button.

createpost

We can add post with basic Title and Content, next option will be Grant editing to user, here we can add every registeres user. Which was very usefull options.

grant

Our created post was available at /blog/621. I tried granting access to another user, after some actions, I went back to Burp Suite to check the requests sent to the application.

burpupdate

Tried adding another user: pedro, by modifying the request in Repeater.

POST /blog/update/621 HTTP/1.1
Host: bonitoblog.ctf.zone
Cookie: session=eyJ1c2VybmFtZSI6InF3ZXJ0eTEifQ.aJiYoA.5i4_3GVySSYdXXEkbMO0UMU01T8
[...]
postId=621&users=pedro

The request was sent successfully, and now we could see that user in our granted users list. At this point, I knew exactly what to do next find the postId of the target post containing the flag. I decided to check it using Burp Intruder. I found an interesting post at /blog/1337.

flagpost

I then sent a modified request like before, but this time changing postId to 1337 and users to my own username.

POST /blog/update/621 HTTP/1.1
Host: bonitoblog.ctf.zone
Cookie: session=eyJ1c2VybmFtZSI6InF3ZXJ0eTEifQ.aJiYoA.5i4_3GVySSYdXXEkbMO0UMU01T8
[...]
postId=1337&users=qwerty1
After this request, I was able to send a simple GET request to /blog/1337 and copy the flag directly. flag