Neos Writeup

Anandhu Krishnan
Published on
20 Sep 2020
6 min read


A new case of Wadiya’s national security arrived at Michael’s table. According to the intelligence report, they used this website to share some national secret. What is the secret?


Some lines of HTML are commented in “contact.html”. The user needs to analyse the code and find something in the javascript code.


In javascript, there is a “contact.js” file which is different from others.


But the javascript file is minified and there is some code commented.

You can uncomment and unminify using

In javascript code

            $.get( "requestcheckout.php", function( data ) {
                $( ".result" ).html( data );
                    output = '<div class="error">'+response.text+'</div>';

requestcheckout.php A GET API call to the backend so we can call that API using any API client.

The response of that API is a .zip file. Then, the user needs to open it and it will show some error.


So something is missing. Open that file in any hex editor.


Zip Archive pk hex 50 4B 04 03 is in the file but it was 50 4B 03 04. Edit this value in that file and save (change magic bytes ‘5B 40 04 03’ to ‘5B 40 03 04’)

        sudo nano

But the file is not opening so again we check with hex editor and we find a decimal string ‘115912147332683750505979205674703801681249232118816’

So when we decode the decimal string we get a hex value. When we decode the hex value we get a string - “OOps! Flag not found”

Therefore, we need to remove the decimal string.

“PK^C^D115912147332683750505979205674703801681249232118816^T^@ “ to


After this step, the file will be open but the password is not produced. We need to find the password.

neos 6
        fcrackzip -u -v -D -p rockyou.txt

After some time, PASSWORD FOUND!!!!: pw == Astra123

We can enter the password but the file:


This value needs to be converted to binary. We need to replace ‘N’, ‘!’ with binary ‘0’, ‘1’

Python program to convert

        import os
        # Decode

        d = "Nb!!NN!NNN!!N!!!!N!!N!!N!N!!NN!N!N!!NNN!!N!!!N!NNN!!NN!!NN!!!!N!!N!!N!!N!N!!N!NNNN!!!N!NNN!!!NNNNN!!NN!N!N!!!N!!NNN!!NNN!NN!!!NNNN!!!NNNNNN!!NNNNN!!N!!N!NN!!N!!NNN!!!NNNN!!NNN!NN!!!NNN!N!!!!NNNNN!!N!!NN!NNN!!NNN!!!NNNNN!!N!!!N!NN!!!NN!N!N!!!N!!N!NNNNN!!NN!NN!NN!!!!N!!!N!!!N!!N!!N!N!NNN!!NNN!!NNN!N!NNNNN!N!!N!NNNN!!N!NN!N!!!!!N!NNNN!N!N"
        for i in range(0, len(d)):
            # print("loop")
            if d[i] == chr(78):
                d = d.replace(d[i], '0')
            if d[i] == chr(33):
                d = d.replace(d[i], '1')
        binary_int = int(d, 2)
        byte_number = binary_int.bit_length() + 7 // 8
        binary_array = binary_int.to_bytes(byte_number, "big")
        text = binary_array.decode()

Output will be:


ASCII value of the binary will be the flag: domectf{mhtpev18p0m68bqx6F87NWh2OwmF1Ahi}

Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Anandhu Krishnan
Anandhu Krishnan
Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.