PoW
Writeup for PoW (Web) - Wani CTF (2024) 💜
Description
compute hash to get your flag
Recon
Basic web page with an incrementing proof-of-work counter.
Our session is tracked via a cookie: pow_session
. The local storage contains pow_progress
, which continuously updates the client status
value from the picture above.
Source
The script reads the PoW progress (int) from local storage (
i
)It loops 1000 times, incrementing
i
and sending the value to ahash
functionThe
hash
function loops 10 times, iteratively hashing the input (sha256)Note,
CryptoJS.SHA256
returns 8 [32-bit] words, like shown in the pictureThe final line (AND) is a masking operation -
4294967040
in hex is0xFFFFFF00
Basically, if the last 8 bits of the first word equals
0
, then we get 1 progress point
Solution
I began by enabling interception of server responses in burp.
Now, if we reload the page, we can modify the JavaScript.
I found a valid value, e.g., 2862152
, and modified the script to repeatedly send it, skipping the hashing algorithm altogether.
The progress increments at 1 per second; however, we quickly hit a rate limit.
We need to get a million points anyway, so this wasn't realistic (1,000,000 seconds is nearly 12 days 😆)
I quickly realised that the valid PoW's are sent as an array.
I decided to send two valid values at once, e.g.
This increments the counter by 2! So we just need to make an array of 1 million ðŸ§
Actually, don't do that unless you want to crash your browser 😂
Instead, let's do it 100,000 times, and then we can send 10 requests.
It's works! We repeat 10 times and get the flag 😌
Was this the intended solution? I'm not so sure..
Flag: FLAG{N0nCE_reusE_i$_FUn}
Last updated