captcha - Square CTF2018

https://gyazo.com/5f41cc745bf806b348822d4e4de7f9bd

恐らく、与えられた数式を解いて答えを送信するだけ

でも、テキストをコピーしてみると

mmmmW N mK Q mRE Q XOOO Q xO z mb z mmL N mb N bOO N mmX z bO Q REOOOO N mmmmX z KO N mW N mW N ZOOO N mx N ZOO Q mmmW z mmZ N mx z ZOO Q mmX N bO Q mW z ZOOOO N mmx N mmRE z LO N ROO N WOO z mmmmmmX Q LO z lO N RO z mmmL z ZO Q mRE z bOO z lOO Q mX z mW N KOOO Q mmR N mmW N lO N xOO N mx N LOOOOOO

どうなっているかを調べてみる

フォントがBase64形式で配られていた

3秒くらいで別のフォントに変わってしまう

文字の形は毎回変わらないっぽい

Base64からsvgを抜き出して調べてみる

対応する文字は毎回変わるけど、svgのデータ自体は変わっていないっぽい

Base64のフォントを解析して、svgのデータから対応付けた

foliojs/fontkit: An advanced font engine for Node and the browser

code:js

const fs = require('fs')

const puppeteer = require('puppeteer')

const fontkit = require('fontkit')

const dict = {

'': ' ',

'M15656Q94': '0',

'M31135Q311': '1',

'M48762Q497': '2',

'M520293Q548': '3',

'M567272Q576': '4',

'M10960Q52': '5',

'M438379Q491': '6',

'M510339Q510': '7',

'M524348Q569': '8',

'M438651Q498': '9',

'M488335Q495': '+',

'M76312Q76': '-',

'M444172Q444': '*',

'M239-127Q234': '(',

'M61-119Q50': ')'

}

const solve = async () => {

const browser = await puppeteer.launch()

const page = await browser.newPage()

await page.goto('https://hidden-island-93990.squarectf.com/ea6c95c6d0ff24545cad')

let formula = await page.evaluate(() => document.querySelector('p').textContent)

const encoded = await page.evaluate(() => document.querySelector('style').textContent.slice(103, -78))

await fs.writeFileSync(./font.ttf, Buffer.from(encoded, 'base64'), 'binary')

const font = await fontkit.openSync('font.ttf')

const text = Array.from(new Set(formula)).join('')

const layout = font.layout(text)

for (let i = 0; i < text.length; i++) {

const svg = layout.glyphsi.path.toSVG().split(' ', 2).join('')

formula = formula.replace(new RegExp(texti, 'g'), dictsvg)

}

const answer = eval(formula) + ''

await page.type('inputname="answer"', answer)

await page.click('inputtype="submit"')

await page.waitForNavigation()

console.log(await page.evaluate(() => document.body.innerText))

await page.screenshot({ path: 'flag.png' })

await browser.close()

}

solve()

https://gyazo.com/73a4c3b1c441a369c8f3328f746678d6

If you can see this then you have solved the CAPTCHA.

If you have solved the CAPTCHA then you are a Charvise.

If you are a Charvise then you are welcome on Charvis.

If you are welcome on Charvis then:

You can disable this system using flag-a76013167fd4c04e3134

You should be given useful information.

If you should be given useful information then this informs you that there are two layers of defense left, and the last one is trivial.

#Square_CTF2018