[Weekly Challenge] SOS

Points: 12
Author: dwisiswant0

Description

Peringatan Darurat

Hints

-

Steps to Resolve

We were given a URL, http://sos.skill-issue.org. Upon visiting the main page, there’s a button labeled “Alerta”. When clicked, it triggers a pop-up alert displaying the message:

S Danger SOS it is dire for you to evacuate be caution he is not human 4a6f6b6f7769 SOS Danger SOS.

The hexadecimal string 4a6f6b6f7769 is the encoding for “Jokowi”. We’ll keep this information for later use.

Investigating the WebSocket Connection

The page also includes a client-side script, embedded at /js/main.js, that initiates a WebSocket connection:

const socket = new WebSocket("ws://sos.skill-issue.org:6666");
socket.addEventListener("open", (e) => setInterval(socket.send('ping'), 5000));
socket.addEventListener("message", (e) => console.log("msg recv:", e.data));

The WebSocket sends a ‘ping’ message every 5 seconds, and any response from the server is logged to the console. We can leverage a tool like wscat to interact directly with this WebSocket server.

Using wscat to Send Data

When we send any string, the server echoes the exact message back:

$ wscat -c ws://sos.skill-issue.org:6666 -x 'ping' | xxd
00000000: 7069 6e67 0a                             ping.
$ wscat -c ws://sos.skill-issue.org:6666 -x 'foo' | xxd
00000000: 666f 6f0a                                foo.

However, something interesting happens when we send the string “Jokowi”. The server echoes back the string, but it’s padded with invisible characters.

$ wscat -c ws://sos.skill-issue.org:6666 -x 'Jokowi' | xxd
00000000: 4a6f 6b6f 7769 f3a0 858a f3a0 84b1 f3a0  Jokowi..........
00000010: 85b5 f3a0 85a9 f3a0 85a5 f3a0 84b3 f3a0  ................
00000020: 8587 f3a0 85b4 f3a0 8596 f3a0 8589 f3a0  ................
00000030: 8597 f3a0 84b1 f3a0 85a5 f3a0 8599 f3a0  ................
00000040: 858f f3a0 85a9 f3a0 85a3 f3a0 85ac f3a0  ................
00000050: 84b2 f3a0 858d f3a0 858d f3a0 8595 f3a0  ................
00000060: 858a f3a0 85b8 f3a0 858e f3a0 85ab f3a0  ................
00000070: 8592 f3a0 84be 0a                        .......

Revealing Hidden Characters

To better understand what’s going on, we can use the cat command with the -A flag to display the non-printable characters:

$ wscat -c ws://sos.skill-issue.org:6666 -x 'Jokowi' | bat -A
Jokowi\u{e014a}\u{e0131}\u{e0175}\u{e0169}\u{e0165}\u{e0133}\u{e0147}\u{e0174}\u{e0156}\u{e0149}\u{e0157}\u{e0131}\u{e0165}\u{e0159}\u{e014f}\u{e0169}\u{e0163}\u{e016c}\u{e0132}\u{e014d}\u{e014d}\u{e0155}\u{e014a}\u{e0178}\u{e014e}\u{e016b}\u{e0152}\u{e013e}␊

We can see that the server is appending invisible Unicode characters, such as Variation Selector-91 (U+E014A).

Encoding and Decoding Hidden Data

We can hide one string within another by using Unicode Variation Selectors, specifically from U+E0100 to U+E01EF. For example, if we want to hide the character “a” (U+0061), we can shift its code using the formula ord(E0100) + ord(X) where X is the Unicode value of the character. To decode it, we simply subtract the Unicode value of Variation Selector-17 (U+E0100).

With a tool like unch, we can easily encode and decode this shifted Unicode data.

Extracting the Hidden Message

Let’s use unch to decode the padded response when we send the string “Jokowi”:

$ wscat -c ws://sos.skill-issue.org:6666 -x 'Jokowi' | unch -d
#KawalPutusanMK-2024

And there it is — the hidden message: #KawalPutusanMK-2024. This confirms that the flag was hidden in the padded invisible characters.

References

• wscat
• bat
• unch