Score
Original Writeup on seall.dev
Visiting the site, we are shown a typing test!
There is also a leaderboard and a login page.
We try the credentials for Br0kenC1ph3r23 on the login page and it works! (We later find out as long as the username is not taken the password doesnβt matterβ¦)
Ok, we have a login, letβs try this test and see if we can mess with the score!
POST /api/score HTTP/1.1
Host: chals.secedu.site:5007
Content-Length: 120
...
{"score":"ββββββββββββββββββββββββββββββββββββ"}
Huh..?
Some kind of weird character encoding, letβs check out the JS source code of the site.
Doing some digging I find a JS file with a segment of interest:
const dt = (s, e) => {
Te.set(s), Qe.set(e), qe.set(s * e), pt()
},
mt = () => JSON.stringify({
wpm: f(qe),
raw: f(Te)
}).split("").map(e => e.charCodeAt(0)).map(e => e ^ 4401 ^ 5556 ^ 10019).map(e => String.fromCharCode(e)).join(""),
pt = async () => {
const s = await et("score", "POST", {
score: mt()
});
s.success ? Ce.set(s.rank) : Ce.set(-1)
}, Se = b(!1), ht = () => {
Se.set(!1), $e(), ot()
}, vt = () => {
const s = D.length,
a = f(F).reduce((n, t) => n + f(t).reduce((r, c) => r + +(c === !1), 0), 0) / s,
l = s / 5;
dt(l * (60 / xe), a), Se.set(!0)
};
It seems to be doing some whacky XOR operation, letβs make a quick decryption and encryption script for modification of the values.
function decodeInput(output) {
const decodedChars = output.split("").map(decodeChar);
return decodedChars.join("");
}
function decodeChar(char) {
return String.fromCharCode(char.charCodeAt(0) ^ 4401 ^ 5556 ^ 10019);
}
function encodeInput(input) {
const encodedChars = input.split("").map(encodeChar);
return encodedChars.join("");
}
function encodeChar(char) {
return String.fromCharCode(char.charCodeAt(0) ^ 4401 ^ 5556 ^ 10019);
}
Loading those functions into the console, I try to decodeInput() my POST request data:
> decodeInput("ββββββββββββββββββββββββββββββββββββ")
'{"wpm":42.20000000000001,"raw":77.4}'
Great! Letβs try making that WPM and RAW values 100!
> encodeInput('{"wpm":1000.0,"raw":1000.0}')
"βββββββββββββββββββββββββββ"
Sending that in the POST request we just get first on the leaderboard but no flagβ¦ What if we overload it with alot of 9βs?
> encodeInput('{"wpm":99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999.99,"raw":99999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999.99}')
"βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ"
Sending that we get a better response:
{"status":"SECEDU{definitely_not_a_robot}","success":true}
Flag: SECEDU{definitely_not_a_robot}
Related Writeups
caas
Now presenting cowsay as a service https://caas.mars.picoctf.net/
Cookies
Who doesn't love cookies? Try to figure out the best one. http://mercury.picoctf.net:17781/
findme
Help us test the form by submiting the username as `test` and password as `test!` Hint: any redirections?