SECCON CTF – 00.00 Dec 6th – 08.00 Dec 7th
Writeup by Pegasus, AFNOM.

jspuzzle – 100 Points

After downloading the ZIP file, we have a JavaScript file and a HTML page. The JavaScript file has nothing obvious with a flag stored in plain text. Therefore, we had to run through the Cloze puzzle given. When we load the page we are given a SECCON{….} flag, which is updated every time we enter a block.

To start off, we are given:

"use strict";

({" " :function(){
this[ " " ] = (new Function( " " + " " + " " ))();
var pattern = " ";
var r = new RegExp( pattern );
this[ r[ " " ]( pattern ) ][ " " ]( 1 );
}})[ " "[ " " ]() ]();

The words we want to put in are inside ” “. A solution to this is:

"use strict";

({"function" :function(){
    this[ "null" ] = (new Function( "return" + "/*^_^*/" + "this" ))();
    var pattern = "^[w]$";
    var r = new RegExp( pattern );
    this[ r[ "exec" ]( pattern ) ][ "alert" ]( 1 );
}})[ "Function"[ "toLowerCase" ]() ]();

Which gives us the flag SECCON{3678cbe0171c8517abeab9d20786a7390ffb602d}.

REA-JUU – 200Points

This was a lot easier than I thought to crack. When we get onto the website, we need to login. By registering, we are assigned a random username and password. The source and viewing in BURP yield nothing interesting. When running through the ‘game’ we see nothing happening in terms of calls – parameters are given as a GET call, and the cookies remain the same across calls. When we are given the score, however, there is a bit of JavaScript which does something interesting…

function finishpoint(){
	$.getJSON("/users/chk/14845", null, function(data){
		point = data.point;
		$("#finishpoint").text("Your score is " + point + "point!");

So, what’s happening here? At the page /users/chk/14845, there’s a nice payload:


So – let’s see what happens if we use an ID of 00001?


Ah! We now have the username and a hint that this is a way to get the flag. Playing through the game (in any order), so let’s set 0-0-0-0-0-0 as the way we’ll run through the game, we always score 99999 points, but below the logout button we get the flag: SECCON{REA_JUU_Ji8A_NYAN}