Snek

web secchallenge22
Published on 16 Mar 2022

Description

Let’s see who is the best snake player in the CTF!

https://snek.secchallenge.crysys.hu/

  • Author: Pepe

Solution

0x1 reversing

The source code wasn’t given, although inspecting the site, everything is done using client-side javascript (YAY). So I started to reverse the source code, and quickly realized, that the game accesses scoreboard data via firebase. Deobfuscating the code, we can see, that the database is stored in a collection named scoreboard.

0x2 getting the flag

Reading through the firebase documentations, we acquire the necessary skills in order to get the flag. The only thing left to figure out, where the flag is being stored. The first educated guess works, and we can acquire the flag by running:

flag = await db.collection("scoreboard").doc("flag").get()

flag.data()

The acquired flag is:

cd22{HIDDEN}

← Back to SecChallenge22

all tags

CTF crypto crysys dnSpy hardware misc pwn reverse secchallenge secchallenge22 web