Woooosh

Clam's tired of people hacking his sites so he spammed obfuscation on his new game. I have a feeling that behind that wall of obfuscated javascript there's still a vulnerable site though. Can you get enough points to get the flag? I also found the backend source.

• URL: https://woooosh.2020.chall.actf.co/
• Back-end source code: index.js

The frontend is obfuscated but maybe something else isn't?

Recon

The front-end is a web application with a game:

Client-side code is heavily obfuscated, but thankfully the challenge provides us with the source of the back-end, a NodeJs Express server.

The idea of the game is to click the red circle till our score is high enough for a flag.

Cheating

The score is incremented when we pass this check:

if (dist(game.shapes[0].x, game.shapes[1].y, x, y) < 10) {
    game.score++;
}

Well, that's rather easy. We create our socket.io client in Python that just returns the latest data[0]['x'] and data[0]['y'].

import socketio

sio = socketio.Client()

@sio.event
def connect():
    sio.emit('start')


@sio.on('shapes')
def on_message(data):
    sio.emit("click", data=(data[0]['x'], data[1]['y']))


@sio.on('disp')
def on_flag(data):
    print("flag", data)


@sio.on('score')
def on_message(data):
    print("score", data)


sio.connect('https://woooosh.2020.chall.actf.co/socket.io/')
sio.wait()

After running it a couple of iterations, we receive the flag.

Flag

actf{w0000sh_1s_th3_s0und_0f_th3_r3qu3st_fly1ng_p4st_th3_fr0nt3nd}