Home HackyEaster 2023 Jason
Writeup
Cancel

Jason

Challenge

Jason has implemented an information service.

He has hidden a flag in it, can you find it?

Connect to the server:

nc ch.hackyeaster.com 2304

Solution

Ahh the name should’ve been a give away huh? It took me a minute nonetheless

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
> 1/2
Result: 0.05
> enter "name", "surname", "street", "city", "country", or "q" to quit
> 20/1
Result: 0.2
> enter "name", "surname", "street", "city", "country", or "q" to quit
> 200/1
Result: 0.2
> enter "name", "surname", "street", "city", "country", or "q" to quit
> 1 + 1
Result: 1.1
> enter "name", "surname", "street", "city", "country", or "q" to quit
> 1 + 1 + 1
Result: 2.1
> enter "name", "surname", "street", "city", "country", or "q" to quit

From the above I finally understood it must be prepending . to the queries, and since it’ll process math, we can use it as an annoying calculator. But the key realisation is the . is prepended.

So we can try some other JSON access things like you’d do with jq:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
> []
Result: "Jason"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> [][0]
Something went wrong.
> enter "name", "surname", "street", "city", "country", or "q" to quit
> [0]
Something went wrong.
> enter "name", "surname", "street", "city", "country", or "q" to quit
> [1]
Something went wrong.
> enter "name", "surname", "street", "city", "country", or "q" to quit
> {}
Invalid input!
> enter "name", "surname", "street", "city", "country", or "q" to quit

Ahh keys works

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
>  | to_entries
Result: [
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | to_keys
Something went wrong.
> enter "name", "surname", "street", "city", "country", or "q" to quit
> keys
Result: null
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | .keys
Result: null
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | keys
Result: [
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | keys | .[0]
Result: "city"
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | keys | .[1]
Result: "country"
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | keys | .[2]
Result: "covert"
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | keys | .[3]
Result: "name"
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | keys | .[4]
Result: "street"
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | keys | .[5]
Result: "surname"
> enter "name", "surname", "street", "city", "country", or "q" to quit
>  | keys | .[6]
Result: null
> enter "name", "surname", "street", "city", "country", or "q" to quit
> covert
Result: {
> enter "name", "surname", "street", "city", "country", or "q" to quit

and covert looks interesting!

1
2
3
4
5
> covert | keys | .[0]
Result: "flag"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> covert.flag
Result: "he2023{gr3pp1n_d4_js0n_l1k3_4_pr0!}"

it can’t be this easy?

Flag

he2023{gr3pp1n_d4_js0n_l1k3_4_pr0!}