# TSG CTF 2021 Beginner's Web 2021 Writeup ## Challenge Summary You are given some converter website. It is doing some weird job. First, it constructs routes object based on action parameter and store it to the session. ```javascript= const setRoutes = async (session, salt) => { const index = await fs.readFile('index.html'); session.routes = { flag: () => '*** CENSORED ***', index: () => index.toString(), scrypt: (input) => crypto.scryptSync(input, salt, 64).toString('hex'), base64: (input) => Buffer.from(input).toString('base64'), set_salt: async (salt) => { session.routes = await setRoutes(session, salt); session.salt = salt; return 'ok'; }, [salt]: () => salt, }; return session.routes; }; ``` Then, it will render the page based on the routes object. ```javascript= app.get('/', async (request, reply) => { // omitted const {action, data} = request.query || {}; let route; switch (action) { case 'Scrypt': route = 'scrypt'; break; case 'Base64': route = 'base64'; break; case 'SetSalt': route = 'set_salt'; break; case 'GetSalt': route = session.salt; break; default: route = 'index'; break; } reply.type('text/html') return session.routes[route](data); }); ``` ## Solution ![](https://i.imgur.com/8q7R2If.gif) The flag is in the `flag` route, so you will want to set `session.salt = 'flag'`, but by doing so, `flag` route will be overwritten by `[salt]` end point and you will lose access to it. So, what we want to achieve is the following session state. ```javascript session = { routes: { flag: ..., index: ..., ... [salt]: ..., // salt is anything different from 'flag' }, salt: 'flag', } ``` ### 1st request First, you have to send `GET /?action=SetSalt&data=flag` to set `salt = 'flag'`. The session will be the following structure. ```javascript session = { routes: { flag: ..., // this route is overwritten and not accessible index: ..., ... flag: ..., }, salt: 'flag', } ``` ### 2nd request Second is the most important part. Now we want to recover `session.routes` so that we can access the `flag` route, but we don't want to update `salt`. The key is `set_salt` function. Normally, it updates routes and salt together. ```javascript= set_salt: async (salt) => { session.routes = await setRoutes(session, salt); session.salt = salt; return 'ok'; }, ``` What if line 2 is executed but line 3 is NEVER executed? It is possible. In line 2, we are `await`-ing the execution of `setRoutes` function. Do you know `async`/`await` in ECMAScript is just a syncax sugar of `Promise`? So, we can transform this function to the following equivalent code. ```javascript= set_salt: (salt) => { return setRoutes(session, salt).then((result) => { session.routes = result; session.salt = salt; return 'ok'; }); }, ``` The key is that the code is calling the chained method `then()` from the returned value of `setRoutes` function. What is the return value of this function? ```javascript= const setRoutes = async (session, salt) => { const index = await fs.readFile('index.html'); session.routes = { // omitted [salt]: () => salt, }; return session.routes; }; ``` It is returning the result of `session.routes`. This is unnecessary since the assignment to `session.route` is already done. Okay, we can control this value by `salt` parameter. What if we set `salt = 'then'`? It will return the following object. ```javascript { // omitted then: () => salt, } ``` As you can infer from the above code, this `then` method will be called with callback function as an argument. If the function is called, the returned value is considered to be `resolve`-ed and the process continues. But, this `then()` method is just ignoring the argument and the function is never called. So, by setting `salt = 'then'`, the assignment to `session.routes` happens inside `setRoutes` function, but `setRoute` function is not resolved and the assignment to `session.salt` never happens. So, send `GET /?action=SetSalt&data=then` to server and this will result in the following session state. ```javascript session = { routes: { flag: ..., index: ..., ... then: ..., }, salt: 'flag', } ``` This is what we want to achieve! ### 3rd request Now, just request the salt and it will print the flag! `GET /?action=GetSalt` ```javascript= return session.routes[route](data); // route = session.salt here ``` ### Appendix In technical term, this is called [Thenable Object](https://masteringjs.io/tutorials/fundamentals/thenable). ## Only 1 solve during contest? Why the fuck is this beginner???? Several reasons. * This challenge does not require experience in CTF. It consists of the combination of some logical errors in the code and knowledge of JavaScript itself. * A member of TSG, who is actually a beginner of CTF, could solve this challenge in just 3 hours. * ~~I thought more people solve this challenge honestly~~ Original writeup (https://hackmd.io/@hakatashi/ryRg7oLEt).