This challenge is client-side, which means that we will have to play with the Javascript code to retrieve the flag !
The goal is to beat the score of the pro player Eteck in order to obtain the flag. His score is set to 1337420, which doesn’t seem easy to beat.
There are 2 ways to retrieve the flag. The first one is to practice and be better than him in order to beat him fairly.
The second, which is more feasible, is to find a vulnerability that would allow us to alter the final score with an arbitrary value. We will opt for this one !
When we lose the game, a POST request is sent to the API with the score, the username, and a signature. The signature ensures that the score cannot be altered via the request and maintains its integrity.
We could analyze the javascript file to determine how the signature is calculated, but that would be tedious and boring.
The best way is to use a debugger !
A search for the word score leads us to the variables defined starting from line 39541.
- The variable
_0x5a84cdis the player’s final score. - The function
_0x3f306f(_0x5a84cd)returns the signature calculated based on the score.
We can set a breakpoint at line 39541, then start a game and lose it. The program will stop at our breakpoint. We can display the value of the score and the signature.
_0x5a84cd->0_0x3f306f(_0x5a84cd)->-640686249
Now we just need to modify the score variable to the desired value, for example 300000000, and display the corresponding signature value :
_0x5a84cd=300000000_0x3f306f(_0x5a84cd)->2085264154
One last POST request with the right information and we can retrieve the flag !
PWNME{ChE4t_oN_cLI3N7_G4m3_Is_Not_3aS1}