Hack.lu 2011 CTF Write-up: Hidden Challenge

There is no description available… but: find the key

No information was given about this challenge, but we immediatly found it inside the scoreboard javascript, scoreboard-1.1.js.

Here is the pertinent js code:

The key is provided by typing the keyboard. The array challenge is XORed with the key, and the resulting string is assigned to the variable decrypted. After that, an eval(decrypted) is executed.

Now it’s a matter of finding the right key: there are two ways of doing so.

Decypt the ciphertext

Being some js code, the value of decrypted may start with alert(. If our assumption turns out to be true, finding more than half of the key is just a matter of performing a XOR between alert( and the first 6 chars of the ciphertext. To do so, we use the following code:

This script yields the following results:

That makes a lot of sense. We just need to complete the missing part of the guessed plaintext “alert(****grats!” in order to get the whole key: there are only 4 reasonable substitutions:

  • alert(“Con
  • alert(“con
  • alert(‘Con
  • alert(‘con

We try these 4 strings until we get a perfect decryption for the entire ciphertext and finally:


Use the konami hint

During the CTF we didn’t really care about the comment // konami inside scoreboard-1.1.js, but it would have saved us some time.

Googling “konami” we get:

“Konami code” looks interesting because the first result is the wikipedia entry for Konami Code. Now, guess what the combination

is? Yes, the key 😛

Typing shows:


Author: Marco Squarcina

Computer Science student and an Open Source enthusiast. My main interests are computer security (especially mandatory access control systems), Linux systems administrations and audio applications.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.