I decided to create a tool that searches for
hidden elements inside a web pages.
Few days ago someone told me that my website is not so /secure/…
Can you check it yourself ?

The website says that it will find the hidden elements inside a web page. Let’s give it a target from its file system to force it to analyze its own source code. Here is the target:

Let’s check the output:

It seems it filtered our target somehow. Let’s fuzz with it a little bit. Here is our new target:

Now, we have bypassed the filter:

Still, there isn’t any useful information. It just brought us the lines that contain the word ‘hidden’.

Let’s check the source code of the webpage:

We have an interesting hidden link on the page:

I have tried to use the following as target:

However, it returns nothing. It means the flag does not contain the word ‘hidden’. We need to read the whole file instead of reading the lines that contain ‘hidden’. There is also an obfuscated javascript code on the page:

Let’s deobfuscate it and try to understand it.

It first assigns the ‘main_form’ element to the variable _frss, then it creates an input element and assigns it to the variable _xEger. Here is the input element that is created:

However, it does not insert this element to the ‘main_form’. If it was inserted, then our url would include &expression= part at the end of it. Still, this might be a hint. Let’s try to add &expression=/.*/ to our url.

It resulted in reading the whole file:

Here is our flag noxCTF{/[h1DD3N]*[55Rf]*[r393X]*/}.