1. Challenge information
You are Chris Wong, you have a mission to win the game and redeem the free meal. Try to get over 300 score. Your flag will appears in scoreboard.php.
2. Exploitation
-
Intercept the score update HTTP POST Request:
- Observe that it includes a payload with parameters
scoreandhash.
- Observe that it includes a payload with parameters
-
Modify the Score and Resend:
- Change the
scorevalue in the intercepted request and resend it. The server responds with "Invalid hash," it indicates that thescoreis part of the hash calculation.
- Change the
-
Identify the Hashing Algorithm:
- When inspecting the page, there’s a JavaScript called sha256.min.js, indicating the hash algorithm used is sha256
-
Find Hash Generation Logic:
-
There’s also a JavaScript code embedded on game.php page
-
Reviewing the JavaScript code, the information about the hashing can be retrieved:
... const secretKey = '3636f69fcc3760cb130c1558ffef5e24'; const username = "admin123"; const token = "f980528fc2f243646fd0ea563b9b6cce"; ... async function endGame() { .... const hash = generateHash(secretKey + username + score); ... }- From the code, the hash is generated by concatenating
secretKey,username, andscore
- From the code, the hash is generated by concatenating
-
-
Generate the New Hash:
-
To modify the score, concatenate
secretKey,username, and the desired score value, then hash this string with SHA-256. -
Example input:
3636f69fcc3760cb130c1558ffef5e24admin123301 -
Using https://www.pelock.com/products/hash-calculator, the new hash generated is:
C8B64AF8AA5E06F9BA55F7B19BCEDBDA23B11C0BBC711E5786A2B5D43CCB310F -
Since the expect a lowercase hash, convert it to lowercase
-
-
Send the Modified Request with New Hash: