Depths

Challenge:

DEADFACE talks about having a potential buyer for the database leak on Ghost Town. Figure out where they're keeping the wallet info for cryptocurrency transactions. Submit the flag as: flag{flag-goes-here}.

Solution:

While searching around the various thread on Ghost Town we found one titled, Potential Buyer in the Works:

Further down in the thread the user d34th provides a clue on the meaning of the random looking string he posted:

With the "secret ingredient" being "onion" we launched Tor Browser and accessed fkdgcbd7ctdqde5dhysmdgefrjs6ip2zjgiycx5vsdvtpdspmkhi5hid.onion.

The website was a simple demo page for a theme and we spent some time reviewing the various HTML, CSS and JavaScript files as well as looking for viewable directories. We found interesting code in the JavaScript file, /js/haetg75d54a.js.

function grab() {
  fetch(btoa('aHR0cHM6Ly9wYXN0ZWJpbi5jb20vcmF3L3FGZGVnWHRp'))
    .then(response => response.text())
    .then(data => {
  	alert(data);
  });
}

JavaScript's btoa() method creates a Base64-encoded ASCII string from a binary string, which means the code has a bug. The atob() method should be called to Base64 decode the string to, https://pastebin.com/raw/qFdegXti.

Accessing the PasteBin URL reveals the flag:

flag = 'flag{Ogr3s_r_lik3_On1onS}'