From 7a30a69eb687fd4582ba75386f26b42a4876921c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20Thibout=C3=B4t?= <simonthiboutot@hotmail.com>
Date: Thu, 10 Sep 2020 13:54:53 -0400
Subject: [PATCH 1/3] Add javascript challenge.

---
 challenges/web/JavaScript/Dockerfile          |   1 +
 challenges/web/JavaScript/README.md           |  18 +++
 challenges/web/JavaScript/docker-compose.yml  |   8 ++
 challenges/web/JavaScript/login-2-source.html | 111 ++++++++++++++++++
 challenges/web/JavaScript/src/index.html      |  41 +++++++
 challenges/web/JavaScript/src/login-1.html    |  81 +++++++++++++
 challenges/web/JavaScript/src/login-2.html    |  66 +++++++++++
 challenges/web/JavaScript/writeup.md          |  55 +++++++++
 8 files changed, 381 insertions(+)
 create mode 100644 challenges/web/JavaScript/Dockerfile
 create mode 100644 challenges/web/JavaScript/README.md
 create mode 100644 challenges/web/JavaScript/docker-compose.yml
 create mode 100644 challenges/web/JavaScript/login-2-source.html
 create mode 100644 challenges/web/JavaScript/src/index.html
 create mode 100644 challenges/web/JavaScript/src/login-1.html
 create mode 100644 challenges/web/JavaScript/src/login-2.html
 create mode 100644 challenges/web/JavaScript/writeup.md

diff --git a/challenges/web/JavaScript/Dockerfile b/challenges/web/JavaScript/Dockerfile
new file mode 100644
index 0000000..2a41af2
--- /dev/null
+++ b/challenges/web/JavaScript/Dockerfile
@@ -0,0 +1 @@
+FROM php:7.4.7-apache
diff --git a/challenges/web/JavaScript/README.md b/challenges/web/JavaScript/README.md
new file mode 100644
index 0000000..d41a405
--- /dev/null
+++ b/challenges/web/JavaScript/README.md
@@ -0,0 +1,18 @@
+# JavaScript
+
+> web
+
+Author: [Simon Thiboutôt (lilc4t)](https://github.com/masterT)
+
+http://127.0.0.1:12001/
+
+## Setup
+
+Requirements:
+- docker
+
+Start:
+
+```shell
+docker-compose up
+```
diff --git a/challenges/web/JavaScript/docker-compose.yml b/challenges/web/JavaScript/docker-compose.yml
new file mode 100644
index 0000000..aa4151c
--- /dev/null
+++ b/challenges/web/JavaScript/docker-compose.yml
@@ -0,0 +1,8 @@
+version: "2"
+services:
+  web:
+    build: .
+    ports:
+     - "12001:80"
+    volumes:
+     - "./src/:/var/www/html"
diff --git a/challenges/web/JavaScript/login-2-source.html b/challenges/web/JavaScript/login-2-source.html
new file mode 100644
index 0000000..71bbc1d
--- /dev/null
+++ b/challenges/web/JavaScript/login-2-source.html
@@ -0,0 +1,111 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css" integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous">
+    <title>Login 2</title>
+    <style>
+      html,
+      body {
+        height: 100%;
+      }
+
+      body {
+        display: -ms-flexbox;
+        display: flex;
+        -ms-flex-align: center;
+        align-items: center;
+        padding-top: 40px;
+        padding-bottom: 40px;
+        background-color: #f5f5f5;
+      }
+
+      .form-signin {
+        width: 100%;
+        max-width: 330px;
+        padding: 15px;
+        margin: auto;
+      }
+      .form-signin .checkbox {
+        font-weight: 400;
+      }
+      .form-signin .form-control {
+        position: relative;
+        box-sizing: border-box;
+        height: auto;
+        padding: 10px;
+        font-size: 16px;
+      }
+      .form-signin .form-control:focus {
+        z-index: 2;
+      }
+      .form-signin input[type="email"] {
+        margin-bottom: -1px;
+        border-bottom-right-radius: 0;
+        border-bottom-left-radius: 0;
+      }
+      .form-signin input[type="password"] {
+        margin-bottom: 10px;
+        border-top-left-radius: 0;
+        border-top-right-radius: 0;
+      }
+    </style>
+    <script>
+      function fuzz (value) {
+        if (value % 2 == 0) {
+          return value + 3;
+        } else {
+          return value - 1;
+        }
+      }
+
+      function keyValueAt(key, index) {
+        var value;
+        var keyIndex = index % key.length;
+        var integer = parseInt(key[keyIndex]);
+        if (integer && !isNaN(integer)) {
+          value = integer;
+        } else {
+          value = key.charCodeAt(keyIndex);
+        }
+        return value;
+      }
+
+      function encrypt (key, plaintext) {
+        var cipher = [];
+        for (let index = 0; index < plaintext.length; index++) {
+          cipher.push(fuzz(plaintext.charCodeAt(index) ^ keyValueAt(key, index)));
+        }
+        return btoa(cipher.join(':'));
+      }
+
+      function login (event) {
+        var key = "2718587a3f";
+        var encryptedFlag = "NzE6NzQ6Njc6Nzg6NDM6NTY6OTY6MjoxMDU6Nzo1MzoxMDU6NTA6NTY6OTg6NTE6OTg6ODM6NDg6OTc6NTU6NTQ6NTY6NjU6MTA1OjEwNDo1MDo4Mzo2MTo4OTo1Mjo2NToxMDE6NjU6NTQ6MTEzOjYyOjM=";
+        var inputEmail = document.getElementById('inputEmail');
+        var inputPassword = document.getElementById('inputPassword');
+        var email = inputEmail.value;
+        var password = inputPassword.value;
+
+        if (email === "admin@local" && password.length === 38 && encryptedFlag === encrypt(key, password)) {
+          alert("Welcome back admin! Here is your flag:\n" + password)
+        } else {
+          alert('Bad credentials!')
+        }
+
+        return false;
+      }
+    </script>
+  </head>
+  <body class="text-center">
+    <form class="form-signin" onsubmit="login()">
+      <h1 class="h3 mb-3 font-weight-normal">Login 2</h1>
+      <label for="inputEmail" class="sr-only">Email address</label>
+      <input type="email" id="inputEmail" class="form-control" placeholder="Email address" required autofocus>
+      <label for="inputPassword" class="sr-only">Password</label>
+      <input type="password" id="inputPassword" class="form-control" placeholder="Password" required>
+      <button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>
+    </form>
+  </body>
+</html>
diff --git a/challenges/web/JavaScript/src/index.html b/challenges/web/JavaScript/src/index.html
new file mode 100644
index 0000000..c14cb0e
--- /dev/null
+++ b/challenges/web/JavaScript/src/index.html
@@ -0,0 +1,41 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css" integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous">
+    <title>JavaScript</title>
+    <style>
+      html,
+      body {
+        height: 100%;
+      }
+
+      body {
+        display: -ms-flexbox;
+        display: flex;
+        padding-top: 40px;
+        padding-bottom: 40px;
+        background-color: #f5f5f5;
+      }
+    </style>
+  </head>
+  <body>
+    <div class="container">
+      <div class="row">
+        <div class="col-md-6 offset-md-3">
+          <h1>JavaScript</h1>
+          <h3>Challenges</h3>
+          <ul>
+            <li>
+              <a href="/login-1.html">Login 1</a>
+            </li>
+            <li>
+              <a href="/login-2.html">Login 2</a>
+            </li>
+          </ul>
+        </div>
+      </div>
+    </div>
+  </body>
+</html>
diff --git a/challenges/web/JavaScript/src/login-1.html b/challenges/web/JavaScript/src/login-1.html
new file mode 100644
index 0000000..9e84c4d
--- /dev/null
+++ b/challenges/web/JavaScript/src/login-1.html
@@ -0,0 +1,81 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css" integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous">
+    <title>Login 1</title>
+    <style>
+      html,
+      body {
+        height: 100%;
+      }
+
+      body {
+        display: -ms-flexbox;
+        display: flex;
+        padding-top: 40px;
+        padding-bottom: 40px;
+        background-color: #f5f5f5;
+      }
+
+      .form-signin {
+        width: 100%;
+        max-width: 330px;
+        padding: 15px;
+        margin: auto;
+      }
+      .form-signin .checkbox {
+        font-weight: 400;
+      }
+      .form-signin .form-control {
+        position: relative;
+        box-sizing: border-box;
+        height: auto;
+        padding: 10px;
+        font-size: 16px;
+      }
+      .form-signin .form-control:focus {
+        z-index: 2;
+      }
+      .form-signin input[type="email"] {
+        margin-bottom: -1px;
+        border-bottom-right-radius: 0;
+        border-bottom-left-radius: 0;
+      }
+      .form-signin input[type="password"] {
+        margin-bottom: 10px;
+        border-top-left-radius: 0;
+        border-top-right-radius: 0;
+      }
+    </style>
+    <script>
+      function login (event) {
+        // I changed my password and update the login to make it more secure...
+        var flag = "\x46\x4c\x41\x47\x2d\x65\x37\x65\x62\x66\x62\x62\x39\x64\x63\x66\x35\x63\x66\x62\x36\x30\x61\x65\x31\x62\x62\x35\x39\x64\x34\x30\x66\x37\x36\x39\x35";
+        var email = "\x61\x64\x6d\x69\x6e\x40\x6c\x6f\x63\x61\x6c";
+        var password = "\x50\x40\x61\x73\x73\x77\x30\x72\x64\x21";
+        var inputEmail = document.getElementById('inputEmail');
+        var inputPassword = document.getElementById('inputPassword');
+
+        if (inputEmail.value === email && inputPassword.value === password) {
+          alert("Welcome back admin! Here is your flag:\n" + flag);
+        } else {
+          alert('Bad credentials!');
+        }
+
+        return false;
+      }
+    </script>
+  </head>
+  <body class="text-center">
+    <form class="form-signin" onsubmit="login()">
+      <h1 class="h3 mb-3 font-weight-normal">Login 1</h1>
+      <label for="inputEmail" class="sr-only">Email address</label>
+      <input type="email" id="inputEmail" class="form-control" placeholder="Email address" required autofocus>
+      <label for="inputPassword" class="sr-only">Password</label>
+      <input type="password" id="inputPassword" class="form-control" placeholder="Password" required>
+      <button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>
+    </form>
+  </body>
+</html>
diff --git a/challenges/web/JavaScript/src/login-2.html b/challenges/web/JavaScript/src/login-2.html
new file mode 100644
index 0000000..7745a01
--- /dev/null
+++ b/challenges/web/JavaScript/src/login-2.html
@@ -0,0 +1,66 @@
+<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
+    <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css" integrity="sha384-9aIt2nRpC12Uk9gS9baDl411NQApFmC26EwAOH8WgZl5MYYxFfc+NcPb1dKGj7Sk" crossorigin="anonymous">
+    <title>Login 2</title>
+    <style>
+      html,
+      body {
+        height: 100%;
+      }
+
+      body {
+        display: -ms-flexbox;
+        display: flex;
+        padding-top: 40px;
+        padding-bottom: 40px;
+        background-color: #f5f5f5;
+      }
+
+      .form-signin {
+        width: 100%;
+        max-width: 330px;
+        padding: 15px;
+        margin: auto;
+      }
+      .form-signin .checkbox {
+        font-weight: 400;
+      }
+      .form-signin .form-control {
+        position: relative;
+        box-sizing: border-box;
+        height: auto;
+        padding: 10px;
+        font-size: 16px;
+      }
+      .form-signin .form-control:focus {
+        z-index: 2;
+      }
+      .form-signin input[type="email"] {
+        margin-bottom: -1px;
+        border-bottom-right-radius: 0;
+        border-bottom-left-radius: 0;
+      }
+      .form-signin input[type="password"] {
+        margin-bottom: 10px;
+        border-top-left-radius: 0;
+        border-top-right-radius: 0;
+      }
+    </style>
+    <script>
+      var _0x1e26=['Welcome\x20back\x20admin!\x20Here\x20is\x20your\x20flag:\x0a','join','getElementById','charCodeAt','NzE6NzQ6Njc6Nzg6NDM6NTY6OTY6MjoxMDU6Nzo1MzoxMDU6NTA6NTY6OTg6NTE6OTg6ODM6NDg6OTc6NTU6NTQ6NTY6NjU6MTA1OjEwNDo1MDo4Mzo2MTo4OTo1Mjo2NToxMDE6NjU6NTQ6MTEzOjYyOjM=','inputEmail','length','inputPassword','2718587a3f','value'];(function(_0xbea737,_0x1e2661){var _0x319c5c=function(_0x313828){while(--_0x313828){_0xbea737['push'](_0xbea737['shift']());}};_0x319c5c(++_0x1e2661);}(_0x1e26,0x96));var _0x319c=function(_0xbea737,_0x1e2661){_0xbea737=_0xbea737-0x0;var _0x319c5c=_0x1e26[_0xbea737];return _0x319c5c;};function fuzz(_0x313828){return _0x313828%0x2==0x0?_0x313828+0x3:_0x313828-0x1;}function keyValueAt(_0x4fd952,_0x4f0e37){var _0x5e589a,_0x2af50b=_0x4f0e37%_0x4fd952[_0x319c('0x6')],_0x34eaf6=parseInt(_0x4fd952[_0x2af50b]);return _0x34eaf6&&!isNaN(_0x34eaf6)?_0x5e589a=_0x34eaf6:_0x5e589a=_0x4fd952[_0x319c('0x3')](_0x2af50b),_0x5e589a;}function encrypt(_0x15fa35,_0x4af2a1){var _0x3b5991=[];for(let _0x58cdde=0x0;_0x58cdde<_0x4af2a1[_0x319c('0x6')];_0x58cdde++){_0x3b5991['push'](fuzz(_0x4af2a1[_0x319c('0x3')](_0x58cdde)^keyValueAt(_0x15fa35,_0x58cdde)));}return btoa(_0x3b5991[_0x319c('0x1')](':'));}function login(_0x147be8){var _0x5b864b=_0x319c('0x8'),_0x5ab0fa=_0x319c('0x4'),_0x24af74=document[_0x319c('0x2')](_0x319c('0x5')),_0x3fce56=document[_0x319c('0x2')](_0x319c('0x7')),_0xedd078=_0x24af74[_0x319c('0x9')],_0x333440=_0x3fce56[_0x319c('0x9')];return _0xedd078==='admin@local'&&_0x333440[_0x319c('0x6')]===0x26&&_0x5ab0fa===encrypt(_0x5b864b,_0x333440)?alert(_0x319c('0x0')+_0x333440):alert('Bad\x20credentials!'),![];}
+    </script>
+  </head>
+  <body class="text-center">
+    <form class="form-signin" onsubmit="login()">
+      <h1 class="h3 mb-3 font-weight-normal">Login 2</h1>
+      <label for="inputEmail" class="sr-only">Email address</label>
+      <input type="email" id="inputEmail" class="form-control" placeholder="Email address" required autofocus>
+      <label for="inputPassword" class="sr-only">Password</label>
+      <input type="password" id="inputPassword" class="form-control" placeholder="Password" required>
+      <button class="btn btn-lg btn-primary btn-block" type="submit">Login</button>
+    </form>
+  </body>
+</html>
diff --git a/challenges/web/JavaScript/writeup.md b/challenges/web/JavaScript/writeup.md
new file mode 100644
index 0000000..71fef98
--- /dev/null
+++ b/challenges/web/JavaScript/writeup.md
@@ -0,0 +1,55 @@
+# Writeup
+
+## Login 1
+
+- `FLAG-e7ebfbb9dcf5cfb60ae1bb59d40f7695`
+
+Pour voir le drapeau il suffit d'évaluer la chaîne de caractères `"\x46\x4c\x41\x47\x2d\x65\x37\x65\x62\x66\x62\x62\x39\x64\x63\x66\x35\x63\x66\x62\x36\x30\x61\x65\x31\x62\x62\x35\x39\x64\x34\x30\x66\x37\x36\x39\x35"` dans la console du navigateur. 
+
+## Login 2
+
+- `FLAG-1fbeb0a21f8d1286086ca419079c62f8a`
+
+Avant tout il faut comprendre ce que le code JavaScript fait, pour ce faire on indente correctement le script, puis on renomme les fonctions et variables.
+
+Par la suite il faut programmer une solution qui fait l'inverse de la fonction d'encryption.
+
+Voici une solution qui affiche le drapeau dans la console du navigateur, lorsqu'exécutée dans celle-ci.
+
+```js
+var cipher = "NzE6NzQ6Njc6Nzg6NDM6NTY6OTY6MjoxMDU6Nzo1MzoxMDU6NTA6NTY6OTg6NTE6OTg6ODM6NDg6OTc6NTU6NTQ6NTY6NjU6MTA1OjEwNDo1MDo4Mzo2MTo4OTo1Mjo2NToxMDE6NjU6NTQ6MTEzOjYyOjM";
+var key = "2718587a3f";
+
+function keyValueAt(key, index) {
+  var value;
+  var keyIndex = index % key.length;
+  var integer = parseInt(key[keyIndex]);
+  if (integer && !isNaN(integer)) {
+    value = integer;
+  } else {
+    value = key.charCodeAt(keyIndex);
+  }
+  return value;
+}
+
+function decrypt(key, cipherBase64) {
+  var plaintext = '';
+  var cipher = atob(cipherBase64).split(':');
+
+  for (let i = 0; i < cipher.length; i++) {
+    var code = parseInt(cipher[i]);
+    if (code % 2 == 0) {
+      code = code + 1;
+    } else {
+      code = code - 3;
+    }
+    var char = String.fromCharCode(code ^ keyValueAt(key, i));
+    plaintext += char;    
+  }
+
+  return plaintext;
+}
+
+console.log(decrypt(key, cipher));
+```
+

From 8a6df8a18e2e26fbebfc261173e6e270882dfcfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20Thibout=C3=B4t?= <simonthiboutot@hotmail.com>
Date: Thu, 17 Sep 2020 20:40:56 -0400
Subject: [PATCH 2/3] Add a context (kind of) for the javascript challenges.

---
 challenges/web/JavaScript/src/index.html | 1 +
 1 file changed, 1 insertion(+)

diff --git a/challenges/web/JavaScript/src/index.html b/challenges/web/JavaScript/src/index.html
index c14cb0e..9834e86 100644
--- a/challenges/web/JavaScript/src/index.html
+++ b/challenges/web/JavaScript/src/index.html
@@ -25,6 +25,7 @@
       <div class="row">
         <div class="col-md-6 offset-md-3">
           <h1>JavaScript</h1>
+          <p>The browser's programming language, it's good for many things, but it's code while always be accessible.</p>
           <h3>Challenges</h3>
           <ul>
             <li>

From 5fff5f265c5cfbdda3a971a96718c9c401487196 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Simon=20Thibout=C3=B4t?= <simonthiboutot@hotmail.com>
Date: Thu, 17 Sep 2020 20:59:05 -0400
Subject: [PATCH 3/3] Change build for image.

---
 challenges/web/JavaScript/docker-compose.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/challenges/web/JavaScript/docker-compose.yml b/challenges/web/JavaScript/docker-compose.yml
index aa4151c..4a7569d 100644
--- a/challenges/web/JavaScript/docker-compose.yml
+++ b/challenges/web/JavaScript/docker-compose.yml
@@ -1,7 +1,7 @@
 version: "2"
 services:
   web:
-    build: .
+    image: php:7.4.7-apache
     ports:
      - "12001:80"
     volumes: