# UIUCTF 2020  
## nookstop  
_The Nook Stop has been acting up today....._

Writeup by **ranguli**

Challenege by **ian5v**

Visiting the challenge link
[https://nookstop.chal.uiuc.tf/](https://nookstop.chal.uiuc.tf/) brings us to
a page where the "Flag"  
button moves around dodging the mouse before you can click it. You can try
using the "Tab" key to  
iterate through the elements on the page and hit enter on the flag button but  
you'll end up with:

```  
Not that easy c: but here's a crumb: uiuctf{w  
```

The word crumb here is a hint as we'll see soon. I'm interesting in starting
out by looking at the JavaScript on the page to see if there is anything of
interest. Viewing the source of the page we see a `cookie.js` file, which
contains a helper function for dealing with cookies and a comment complaining
about how cookie manipulation isn't a feature in vanilla JS. If it wasn't
already clear, "crumb" in the last section was a reference to "cookies".

Next we see some inline JavaScript. Something of interest is the following few  
lines of jQuery:

```javascript  
$("#flag").click(function(){  
console.log("TODO: シークレット_バックエンド_サービスを可能にする");  
document.cookie = "clicked_flag_button=true";  
location.reload();  
});  
```

This Japanese reads (according to Google Translate), "TODO: Enable
Secret_Backend_Service". We see a cookie `clicked_flag_button` being set to
`true`, which we can verify exists if we check our cookies in our broser.

At this point I took a guess that we need to manipulate cookies, and it was  
probably going to involve adding a new cookie like
`secret_backend_service=true`. Sure enough after adding this cookie and
refreshing the page, we get the flag.

```  
uiuctf{wait_its_all_cookies?}  
```

(Always has been)

**Original writeup:**
[https://github.com/ranguli/writeups/blob/master/uiuctf/2020/nookstop.md](https://github.com/ranguli/writeups/blob/master/uiuctf/2020/nookstop.md)

Original writeup
(https://github.com/ranguli/writeups/blob/master/uiuctf/2020/nookstop.md).