Recently Updated
Jason
Challenge
Jason has implemented an information service.
He has hidden a flag in it, can you find it?
Connect to the server:
nc ch.hackyeaster.com 2304
Solution
Ahh the name should’ve been a give away huh? It took me a minute nonetheless
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
> 1/2
Result: 0.05
> enter "name", "surname", "street", "city", "country", or "q" to quit
> 20/1
Result: 0.2
> enter "name", "surname", "street", "city", "country", or "q" to quit
> 200/1
Result: 0.2
> enter "name", "surname", "street", "city", "country", or "q" to quit
> 1 + 1
Result: 1.1
> enter "name", "surname", "street", "city", "country", or "q" to quit
> 1 + 1 + 1
Result: 2.1
> enter "name", "surname", "street", "city", "country", or "q" to quit
From the above I finally understood it must be prepending .
to the queries, and since it’ll process math, we can use it as an annoying calculator. But the key realisation is the .
is prepended.
So we can try some other JSON access things like you’d do with jq
:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
> []
Result: "Jason"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> [][0]
Something went wrong.
> enter "name", "surname", "street", "city", "country", or "q" to quit
> [0]
Something went wrong.
> enter "name", "surname", "street", "city", "country", or "q" to quit
> [1]
Something went wrong.
> enter "name", "surname", "street", "city", "country", or "q" to quit
> {}
Invalid input!
> enter "name", "surname", "street", "city", "country", or "q" to quit
Ahh keys
works
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
> | to_entries
Result: [
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | to_keys
Something went wrong.
> enter "name", "surname", "street", "city", "country", or "q" to quit
> keys
Result: null
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | .keys
Result: null
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | keys
Result: [
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | keys | .[0]
Result: "city"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | keys | .[1]
Result: "country"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | keys | .[2]
Result: "covert"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | keys | .[3]
Result: "name"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | keys | .[4]
Result: "street"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | keys | .[5]
Result: "surname"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> | keys | .[6]
Result: null
> enter "name", "surname", "street", "city", "country", or "q" to quit
> covert
Result: {
> enter "name", "surname", "street", "city", "country", or "q" to quit
and covert looks interesting!
1
2
3
4
5
> covert | keys | .[0]
Result: "flag"
> enter "name", "surname", "street", "city", "country", or "q" to quit
> covert.flag
Result: "he2023{gr3pp1n_d4_js0n_l1k3_4_pr0!}"
it can’t be this easy?
Flag
he2023{gr3pp1n_d4_js0n_l1k3_4_pr0!}