New Free Lunch (web)

You are Chris Wong, you have a mission to win the game and redeem the free meal. Try to get over 300 score. Your flag will appears in scoreboard.php.

1. Intercept the score update HTTP POST Request:

   

   • Observe that it includes a payload with parameters score and hash.

2. Modify the Score and Resend:

   

   • Change the score value in the intercepted request and resend it. The server responds with “Invalid hash,” it indicates that the score is part of the hash calculation.

3. Identify the Hashing Algorithm:

   

   • When inspecting the page, there’s a JavaScript called sha256.min.js, indicating the hash algorithm used is sha256

4. Find Hash Generation Logic:

   

   • There’s also a JavaScript code embedded on game.php page

   • Reviewing the JavaScript code, the information about the hashing can be retrieved:

     1 2 3 4 5 6 7 8 9 10 11 12 13

     ... const secretKey = '3636f69fcc3760cb130c1558ffef5e24'; const username = "admin123"; const token = "f980528fc2f243646fd0ea563b9b6cce"; ... async function endGame() { .... const hash = generateHash(secretKey + username + score); ... }

     • From the code, it can be derived that the hash is generated by concatenating secretKey, username, and score

5. Generate the New Hash:

   

   • To modify the score, concatenate secretKey, username, and the desired score value, then hash this string with SHA-256.
   • Example input: 3636f69fcc3760cb130c1558ffef5e24admin123301
   • Using https://www.pelock.com/products/hash-calculator, the new hash generated is: C8B64AF8AA5E06F9BA55F7B19BCEDBDA23B11C0BBC711E5786A2B5D43CCB310F
   • Since the server expect a lowercase hash, convert it to lowercase

6. Send the Modified Request with New Hash: