Challenge - Week 7

https://minside.bouvet.no/bouvet-alle/nyheter/ukas-sikkerhetspost-4-copy

Klarer du finne det skjulte budskapet her? Kodeordet følger samme format som sist: BVT{}

Click Me!

Send inn riktig svar via dette skjemaet, og kommenter en passende GIF eller en emoji i kommentarfeltet på #bouvet-informerer for å bli med i trekningen av en 🎁

Solution

Upon clicking the link to the challenge, you are presented with a login page.
The page asks you for credentials, and it also features a nice buovet logo.

Whatever you type in, you’ll be greeted with an alert box that tells you “Invalid credentials, try harder!”.

The page source tells us nothing interesting, so let’s inspect the HTTP response…

$ curl -I https://uke-7.bouvet.dev

HTTP/2 200
...
x-not-the-flag: KwWb0hmLzITZjJ2M3YjNzEzYjdzN0M2NmRTZ1IzMyImN3EDNlFzL
x-you-should-think-backwards: dluohs yllaer uoY

… where we actually find two arbitrary headers! What on earth are those?!

The x-not-the-flag header has a value of KwWb0hmLzITZjJ2M3YjNzEzYjdzN0M2NmRTZ1IzMyImN3EDNlFzL, that looks like some kind of encoded string. It’s likely a Base64 encoded string, according to TunnelsUp hash analyzer.
However, trying to decode it as-is gives us garbage (+ٌ݈̄L؍͍Ԍȉ@͔\).

The second arbitrary response header, x-you-should-think-backwards with the value of dluohs yllaer uoY is a major clue.
The header value, reversed, is You really should.
Listening to the web server’s plea - thinking backwards, that is, converts the value of the first header to LzFlNDE3NmIyMzI1ZTRmN2M0NzdjYzEzNjY3M2JjZTIzLmh0bWwK, which Base64decodes to /1e4176b2325e4f7c477cc136673bce23.html.
What’s that? an URI?!

Visiting /1e4176b2325e4f7c477cc136673bce23.html only shows us a 404 page.

There’s nothing interesting in the response headers either, in fact, it even gives us a HTTP 404 response. Damn it..

$ curl -I https://uke-7.bouvet.dev/1e4176b2325e4f7c477cc136673bce23.html

HTTP/2 404
date: Tue, 23 Feb 2021 20:27:11 GMT
content-type: text/html
...

Did we reach a dead end?
Turns out, no! While reading the HTML source for the 404 page, we find the flag, reversed.

The flag

BVT{Congratulations!}