web - New Free Lunch

1. Challenge Information

Category: Web
Difficulty: Easy

Challenge Description / Prompt:

You are Chris Wong, you have a mission to win the game and redeem the free meal. Try to get over 300 score. Your flag will appears in scoreboard.php.

2. TL;DR Solution Summary

The hash value sent is a combination of a secret key, username, and score. The secret key can be found on a JS code embedded on game.php page

3. Exploitation

3.1 Walkthrough

Intercept the score update HTTP POST Request:
- Observe that it includes a payload with parameters score and hash.
Modify the Score and Resend:
- Change the score value in the intercepted request and resend it. The server responds with "Invalid hash," it indicates that the score is part of the hash calculation.
Identify the Hashing Algorithm:
- When inspecting the page, there’s a JavaScript called sha256.min.js, indicating the hash algorithm used is sha256

Find Hash Generation Logic:

Screenshot 2024-11-10 at 09.02.56.png

There’s also a JavaScript code embedded on game.php page

Reviewing the JavaScript code, the information about the hashing can be retrieved:

...

const secretKey = '3636f69fcc3760cb130c1558ffef5e24';
const username = "admin123";
const token = "f980528fc2f243646fd0ea563b9b6cce";
...
 async function endGame() {
						....
            
            const hash = generateHash(secretKey + username + score);
            
            ...
        }

From the code, the hash is generated by concatenating secretKey, username, and score

Generate the New Hash:
- To modify the score, concatenate secretKey, username, and the desired score value, then hash this string with SHA-256.
- Example input: 3636f69fcc3760cb130c1558ffef5e24admin123301
- Using https://www.pelock.com/products/hash-calculator, the new hash generated is: C8B64AF8AA5E06F9BA55F7B19BCEDBDA23B11C0BBC711E5786A2B5D43CCB310F
- Since the expect a lowercase hash, convert it to lowercase
Send the Modified Request with New Hash:

4. Final Output

Flag: hkcert24{r3d33m_f0r_4_fr33_lunch}