diff options
| author | Aria <me@aria.rip> | 2023-10-01 17:23:09 +0100 |
|---|---|---|
| committer | Aria <me@aria.rip> | 2023-10-01 17:23:09 +0100 |
| commit | b5b9cf7a1f61d004d7d53584d029c19302c63ba0 (patch) | |
| tree | 49c3022dccf669f9f2b905ddfbd2d16db2d10d84 /punkctf/jenkins_02.md | |
initial commit
Diffstat (limited to 'punkctf/jenkins_02.md')
| -rw-r--r-- | punkctf/jenkins_02.md | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/punkctf/jenkins_02.md b/punkctf/jenkins_02.md new file mode 100644 index 0000000..f4270ad --- /dev/null +++ b/punkctf/jenkins_02.md @@ -0,0 +1,27 @@ + +We can no longer edit the pipeline directly, but we can add stuff to `webpack.config.js` which is executed as a normal JS file, so we can access `$FLAG` with `process.env.flag` + +The flag is filtered out again, I went probably overkill and copied a ROT13 function to obscure it: + +```js +function cipherRot13(str) { + str = str.toUpperCase(); + return str.replace(/[A-Z]/g, rot13); + + function rot13(correspondance) { + const charCode = correspondance.charCodeAt(); + //A = 65, Z = 90 + return String.fromCharCode( + ((charCode + 13) <= 90) ? charCode + 13 + : (charCode + 13) % 90 + 64 + ); + + } +} + +console.log(cipherRot13(process.env.FLAG)) + +// rest of webpack.config.js +``` + +Reversing the ROT13, we get `punk_{7KN3O181O6W1A6XS}`. |