GreyCTF Survey

Description

Your honest feedback is appreciated :) (but if you give us a good rating we'll give you a flag) Comment Suggest edit

Author: jro

http://challs.nusgreyhats.org:33334

https://storage.googleapis.com/greyctf-challs/dist-greyctf-survey.zip

Code Analysis

The app is relatively straight striaght forward, with a voting function to check if the vote value is between 1 and -1.

let score = -0.42069;

app.post('/vote', async (req, res) => {
    const {vote} = req.body;
    if(typeof vote != 'number') {
        return res.status(400).json({
            "error": true,
            "msg":"Vote must be a number"
        });
    }
    if(vote < 1 && vote > -1) {
        score += parseInt(vote);
        if(score > 1) {
            score = -0.42069;
            return res.status(200).json({
                "error": false,
                "msg": "you win",
            });
        }
        return res.status(200).json({
            "error": false,
            "data": score,
            "msg": "Vote submitted successfully"
        });
    } else {
        return res.status(400).json({
            "error": true,
            "msg":"Invalid vote"
        });
    }
})

Exploit

When we set the vote to a absurdly small value, it will turn into the scientific notation. I came accross the reddit post, which explains how it works. But the tldr is

0.0000005 will turn into 5e-7
When we run parseInt(5e-7), it will results in 5

I verified it on console, and it works as intended.

Using Burp Suite repeater, I was able to retrieve the flag.

Flag: grey{50m371m35_4_l177l3_6035_4_l0n6_w4y}

PreviousFearless Concurrency NextBaby Web

Last updated 1 year ago

Was this helpful?