Kabinet's GitBook
  • 🚩Kabinet CTF's Writeups
  • Page
  • 2025
    • Thuderdome
      • Emerge through the breach
      • Pulled from the sky
      • An absent defense
      • A new wave (web of deceit)
      • Crossing the great divide
      • Joining forces as one
      • Infiltrate (open the gate)
      • Jaeger
      • Victory
  • 2024
    • GreyCTF 2024
      • Markdown Parser
      • Fearless Concurrency
      • GreyCTF Survey
      • Baby Web
      • Beautiful Styles
      • All About Timing
      • Poly Playground
    • TetCTF 2024
      • Hello from API GW
      • Microservices
  • 2023
    • BSidesSF Cloud Village CTF
      • Tony Tony Tony
      • Plain Sight
      • A Suit of Armor Around The World
      • Sharing is Caring + Sequel
      • Photo Drive
    • DART CTF
      • Flag 1
      • Flag 2
      • Flag 3
      • Flag 4
      • Flag 5
      • Flag 6
      • Flag 7
      • Flag 8
      • Flag 9
      • Flag 10
    • EKS Cluster Games
    • Big IAM Challenge
  • 2022
    • Stack The Flag
      • Secret of Meow Olympurr
  • Authored
    • Cyber League 2025 Major 1
      • Perfect Storage
      • catalog commits
      • pawtainer hub
    • Lag and Crash 2023
      • Managed Secrets
      • Pickle Rick
      • Cloudy with a chance of meatball
    • NYP InfoSec December CTF 2022
      • Super Secure Technology Infrastructure
      • Self Introduction
      • Aww Cuter Cat
      • Obligatory Calc
      • BreadSecurity
  • NYP InfoSec Introduction to Pentesting Workshop
Powered by GitBook
On this page
  • Description
  • Code Analysis
  • Exploit

Was this helpful?

  1. 2024
  2. GreyCTF 2024

GreyCTF Survey

Description

Your honest feedback is appreciated :) (but if you give us a good rating we'll give you a flag) Comment Suggest edit

Author: jro

http://challs.nusgreyhats.org:33334

https://storage.googleapis.com/greyctf-challs/dist-greyctf-survey.zip

Code Analysis

The app is relatively straight striaght forward, with a voting function to check if the vote value is between 1 and -1.

let score = -0.42069;

app.post('/vote', async (req, res) => {
    const {vote} = req.body;
    if(typeof vote != 'number') {
        return res.status(400).json({
            "error": true,
            "msg":"Vote must be a number"
        });
    }
    if(vote < 1 && vote > -1) {
        score += parseInt(vote);
        if(score > 1) {
            score = -0.42069;
            return res.status(200).json({
                "error": false,
                "msg": "you win",
            });
        }
        return res.status(200).json({
            "error": false,
            "data": score,
            "msg": "Vote submitted successfully"
        });
    } else {
        return res.status(400).json({
            "error": true,
            "msg":"Invalid vote"
        });
    }
})

Exploit

When we set the vote to a absurdly small value, it will turn into the scientific notation. I came accross the reddit post, which explains how it works. But the tldr is

0.0000005 will turn into 5e-7
When we run parseInt(5e-7), it will results in 5

I verified it on console, and it works as intended.

Using Burp Suite repeater, I was able to retrieve the flag.

Flag: grey{50m371m35_4_l177l3_6035_4_l0n6_w4y}

PreviousFearless ConcurrencyNextBaby Web

Last updated 1 year ago

Was this helpful?