<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> <meta name="description" content=""> <meta name="author" content=""> <title>CTF Challenges</title> <link rel="icon" href="https://challenge.saarland/static/img/favicon.png"> <link rel="stylesheet" href="https://challenge.saarland/static/css/style.css"> <link rel="stylesheet" href="https://challenge.saarland/static/css/bootstrap.min.css"> <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.0/css/all.css" integrity="sha384-lZN37f5QGtY3VHgisS14W3ExzMWZxybE1SJSEsQp9S+oqd12jhcu+A56Ebc1zFSJ" crossorigin="anonymous"> <style> .settings-nav { background-color: white; } </style> </head> <body> <div class="w-100 mt-4 border-bottom-gradient"> <div class="container pb-4"> <div class="row"> <div class="col-12"> <nav class="navbar navbar-expand navbar-light"> <div class="navbar-collapse collapse"> <ul class="navbar-nav ml-auto"> <li class="nav-item"> <a class="nav-link" href="https://challenge.saarland/static/Datenschutzerkl%C3%A4rung.pdf" target="_blank">Datenschutzerklärung</a> </li> <li class="nav-item"> <a class="nav-link" href="/impressum">Impressum</a> </li> </ul> </div> </nav> </div> <div class="col-12"> <a href="/"><img class="w-100 logo" src="https://challenge.saarland/static/img/CISPA_CySec-Lab_online-challenge_header.jpg" alt="logo"> </a> </div> </div> </div> </div> <!-- <div class="row"> <div class="col-lg-6 bg-grey"> <div class="row"> <div class="col-lg-6 bg-grey"></div> <div class="col-lg-6 bg-grey"> {/% block content %}{/% endblock %} </div> </div> </div> </div> --> <div class="container" style="margin-top: 5%;"> <div class="alert alert-success" role="alert" hidden></div> <div class="alert alert-info" role="alert" hidden></div> <div class="alert alert-danger" role="alert" hidden></div> </div> <div class="container mt-lg-5 mb-3 mb-lg-2"> <a href="//challenge.saarland/"><i class="fa fa-arrow-left"></i> Zurück zur Hauptseite</a> </div> <div class="mobile-img mb-3"> <img src="https://challenge.saarland/static/img/1247_mA.jpg" class="w-100"> </div> <div class="main-body bg-grey-white mb-5"> <div class="container"> <div class="row"> <div class="col-12 col-lg-6 bg-grey content-site"> <div class="pt-4 pb-5"> <h4 class="challenge-headline">Challenge - Dynamisches Passwort</h4> <p class="challenge-description"> Aus Sicherheitsgründen ist es auf dieser Website nicht möglich, ein eigenes Passwort zu wählen. Nach der Auswahl eines Benutzernamens wird Ihr zufällig generiertes Passwort angezeigt. Leider hat dein Benutzerkonto nicht die erforderlichen Zugriffsrechte, um die geheime Flagge zu sehen. Stan Bock, der Administrator der Website (Benutzername 'stan_bock'), hat jedoch wahrscheinlich diese Zugriffsrechte. Kannst du einen Weg finden, auf sein Konto zuzugreifen? </p> <ul class="nav nav-pills"> <li class="nav-item col mr-4" style="padding:0px"> <a class="settings-nav nav-link active text-center text-uppercase" data-toggle="pill" href="#register">Registrierung</a> </li> <li class="nav-item col ml-4" style="padding:0px"> <a class="settings-nav nav-link text-center text-uppercase" data-toggle="pill" href="#login">Login</a> </li> </ul> <div class="tab-content" style="padding-top:15px; padding-bottom:15px;"> <div class="tab-pane active" id="register"> <div class="card"> <div class="card-header">Registrierung:</div> <div class="card-body"> <form onsubmit="return register(event);"> <div class="form-group"> <label for="reg_username">Username</label> <input type="text" class="form-control" name="username" id="reg_username" placeholder="Username"> <input type="hidden" name="password" id="reg_password"> </div> <input class="card-link btn btn-primary" type="submit" role="button" onclick="register(event);" value="Registrieren"/> </form> </div> </div> </div> <div class="tab-pane" id="login"> <div class="card"> <div class="card-header">Login:</div> <div class="card-body"> <form onsubmit="return login(event);"> <div class="form-group"> <label for="log_username">Username</label> <input type="text" class="form-control" name="username" id="log_username" placeholder="Username"> </div> <div class="form-group"> <label for="log_password">Passwort</label> <input type="password" class="form-control" name="password" id="log_password" placeholder="Passwort"> </div> <input class="card-link btn btn-primary" type="submit" role="button" onclick="login(event);" value="Login"/> </form> </div> </div> </div> </div> <a id="help_btn" href="/challenges/2/source" class="card-link btn btn-info" role="button" target="_blank" style="float:right">Hilfe</a> </div> </div> <div class="col-12 col-lg-6 bg-white"> <div class="big-site-image d-md-block d-none"> <img src="https://challenge.saarland/static/img/1247_corr.png" class=""> </div> <div class="small-site-image d-md-block d-none"> <img src="https://challenge.saarland/static/img/building_round_with_border.png" class=""> </div> </div> </div> </div> </div> <div id="tracking_consent_banner" class="tracking_consent_banner card w-100 d-none"> <div class="container-fluid"> <div class="row py-2 justify-content-center align-items-center"> <div class="col-12 my-0 my-lg-3 col-lg-3 text-center"> Hilf uns unsere Challenges zu verbessern, indem du anonymisiertes Nutzungsverhalten mit uns teilst. ❤️ </div> <div class="col-12 col-lg-3 text-center"> <div class="btn_grp"> <button class="btn btn-secondary mx-1" id="removeBanner">Nein</button> <button class="btn btn-secondary mx-1" id="allowTracking">Ja</button> <!--<button class="btn btn-primary mx-1">Info</button>--> </div> </div> </div> </div> </div> <div class="bg-image placeholder"></div> <div class="d-none d-lg-block alert alert-info" role="alert" style="padding-left: 5%; padding-right: 5%;position: fixed; bottom:-15px; text-align: center; width:100%"> Informiert euch doch auch über die <a href="https://cysec.uni-saarland.de" target="_blank">Cybersicherheitsstudiengänge</a> an der Universität des Saarlandes. </div> <div class="d-block d-lg-none alert alert-info alert-dismissible" role="alert" style="padding-left: 5%; padding-right: 5%;position: fixed; bottom:-15px; text-align: center; width:100%"> Informiert euch doch auch über die <a href="https://cysec.uni-saarland.de" target="_blank">Cybersicherheitsstudiengänge</a> an der Universität des Saarlandes. <button type="button" class="close" data-dismiss="alert" aria-label="Close"> <span aria-hidden="true">×</span> </button> </div> <script src="https://challenge.saarland/static/js/jquery-3.2.1.min.js"></script> <script src="https://challenge.saarland/static/js/popper.min.js"></script> <script src="https://challenge.saarland/static/js/bootstrap.min.js"></script> <script src="https://challenge.saarland/static/js/consent.js"></script> <script> function generate_secure_password(username) { /* a random value generated from a secure random number generator, base64 encoded */ var token = "yP3LigDUTk/2UnSIDiO8JgYpbQtyy3kb7IbaMOwG6vFm5DK2ulafQ8+06HWzqHYQaLA4fAcR40CB/3wQ"; /* Passwords with a length of 16 characters are very secure, I learned */ var password_chars = []; for (i = 0; i < 16; i++) { if (i < username.length) { password_chars.push(username.charAt(i)); } else { password_chars.push("0") } } /* We want our password to only contain letters available on most typically available keyboards! */ var validcharacters = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+-*/%.:,;#$&()"; sum = 0; /* Small passwords look to similar, so we add the cross total as an offset. */ for (i = 0; i < username.length; i++) { sum += username.charCodeAt(i); } /* Create new password from username and token */ for (i = 0; i < token.length; i++) { password_chars[i % 16] = validcharacters.charAt( (validcharacters.indexOf(token.charAt((i + sum) % token.length)) + validcharacters.indexOf(password_chars[i % 16])) % validcharacters.length ); } var password = ""; for (i = 0; i < password_chars.length; i++) { password += password_chars[i]; } return password; } </script> <script> function set_challenge(val) { window.challenge.value = val; } function message(el) { $('#submission_modal').modal('hide') el.hidden = false; setTimeout(function() { el.hidden = true; }, 5000); } function success(msg) { var el = document.getElementsByClassName('alert-success')[0]; el.innerText = msg; message(el); } function info(msg) { var el = document.getElementsByClassName('alert-info')[0]; el.innerText = msg; message(el); } function error(msg) { var el = document.getElementsByClassName('alert-danger')[0]; el.innerText = msg; message(el); } function save(e) { e.preventDefault(); if (window.challenge.value == '') { error("Please select a challenge!"); return; } if (window.email.value == '') { error("Please add your email address!"); return; } if (window.flag.value == '') { error("Please add the flag!"); return; } var url = "/save"; var method = "POST"; var params = 'csrfmiddlewaretoken=FJDbWwm1ywDlUajF4XlnqlqXGDu8wMpWfyD0JIBQNwRa7DJ2cjEgCt5ZDNA902FT&'; params += 'challenge=' + window.challenge.value + '&'; params += 'email=' + window.email.value + '&'; params += 'flag=' + window.flag.value + '&'; if($('#receivenotification').is(':checked')) { params += 'notification=1'; } else { params += 'notification=0'; } var xhr = new XMLHttpRequest(); xhr.open(method, url, true); xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xhr.onreadystatechange = function() { if(xhr.readyState == 4 && xhr.status == 200) { success(xhr.responseText); } else if (xhr.readyState == 4 && xhr.status == 400) { error(xhr.responseText); } else if (xhr.readyState == 4 && xhr.status == 418) { info(xhr.responseText); } } xhr.send(params); return false; } function register(e) { e.preventDefault(); if (window.reg_username.value == '') { error("Bitte gibt einen Usernamen an!"); return; } var user = window.reg_username.value; var pwd = generate_secure_password(user); var url = "/ch2_register"; var method = "POST"; var params = 'csrfmiddlewaretoken=FJDbWwm1ywDlUajF4XlnqlqXGDu8wMpWfyD0JIBQNwRa7DJ2cjEgCt5ZDNA902FT&'; params += 'username=' + user + '&'; params += 'password=' + encodeURIComponent(pwd); var xhr = new XMLHttpRequest(); xhr.open(method, url, true); xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xhr.onreadystatechange = function() { if(xhr.readyState == 4 && xhr.status == 302) { window.location.href = xhr.responseText; } else if (xhr.readyState == 4 && xhr.status == 400) { error(xhr.responseText); } } xhr.send(params); return false; } function login(e) { e.preventDefault(); if (window.log_username.value == '') { error("Bitte gibt einen Usernamen an!"); return; } if (window.log_username.value == '') { error("Bitte gibt ein Passwort an!"); return; } var user = window.log_username.value; var pwd = window.log_password.value; var url = "/ch2_login"; var method = "POST"; var params = 'csrfmiddlewaretoken=FJDbWwm1ywDlUajF4XlnqlqXGDu8wMpWfyD0JIBQNwRa7DJ2cjEgCt5ZDNA902FT&'; params += 'username=' + user + '&'; params += 'password=' + encodeURIComponent(pwd); var xhr = new XMLHttpRequest(); xhr.open(method, url, true); xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xhr.onreadystatechange = function() { if(xhr.readyState == 4 && xhr.status == 302) { window.location.href = xhr.responseText; } else if (xhr.readyState == 4 && xhr.status == 400) { error(xhr.responseText); } } xhr.send(params); return false; } </script> </body> </html>