Method in the Madness

Writeup for Method in the Madness (Web) - NahamCon CTF (2025) 💜

PreviousTMCB NextNo Sequel

Last updated 2 days ago

Method in the Madness

Writeup for Method in the Madness (Web) - NahamCon CTF (2025) 💜

Description

HackingHub has provided this CTF challenge!

Solution

The homepage has 6 checkboxes, that we can't click. There's a hint that we should checkout this page.

Let's check the JS.

function updateCheckboxes() {
    fetch("/poll")
        .then((response) => response.json())
        .then((data) => {
            // Check if all boxes are true and flag exists
            let allTrue = true;
            for (let i = 1; i <= 6; i++) {
                if (!data[`box_${i}`]) {
                    allTrue = false;
                    break;
                }
            }

            if (allTrue && data.flag) {
                // Hide main content and show flag
                document.querySelector(".main-content").style.display = "none";
                document.querySelector(".flag-container").style.display = "block";
                document.querySelector(".flag-container h1").textContent = data.flag;
            } else {
                // Update checkboxes (only the first 6)
                for (let i = 1; i <= 6; i++) {
                    const checkbox = document.getElementById(`box_${i}`);
                    if (checkbox) {
                        checkbox.checked = data[`box_${i}`];
                    }
                }
            }
        })
        .catch((error) => console.error("Error:", error));
}

// Initial update
updateCheckboxes();

// Poll every 3 seconds
setInterval(updateCheckboxes, 3000);

There's a GET request to /poll and sure enough, if we check the HTTP history in burp we see lots of requests, all returning false.

{
    "box_1": false,
    "box_2": false,
    "box_3": false,
    "box_4": false,
    "box_5": false,
    "box_6": false
}

Tried changing it to a JSON POST request and updating all the values to true, but it failed to update the values. Also tried removing disabled="" from each of the checkbox properties and manually ticking all of them.

Realised there is another endpoint /interesting which just says hello on the page. After visiting this page, I discovered that box_1 and box_2 are now ticked 🤔

My instance timed out and the second time around I went straight to /interesting and back to the homepage. The first box is ticked, so what is the pattern? How did the second box get checked last time?

Ah OK, I change the request method to POST on the /interesting endpoint and the second box is now checked! I try the OPTIONS method and box_5 is ticked. We have 3 more to go 🙏

Tried various HTTP methods, eventually ticked the remaining boxes with:

PATCH
PUT
DELETE

We hit the /poll endpoint again and get the flag!

{
    "box_1": true,
    "box_2": true,
    "box_3": true,
    "box_4": true,
    "box_5": true,
    "box_6": true,
    "flag": "flag{bd399cb9c3a8b857588d8e13f490b6fd}"
}

Flag: flag{bd399cb9c3a8b857588d8e13f490b6fd}

PreviousTMCB NextNo Sequel

Last updated 2 days ago

Description

HackingHub has provided this CTF challenge!

Solution

The homepage has 6 checkboxes, that we can't click. There's a hint that we should checkout this page.

Let's check the JS.

function updateCheckboxes() {
    fetch("/poll")
        .then((response) => response.json())
        .then((data) => {
            // Check if all boxes are true and flag exists
            let allTrue = true;
            for (let i = 1; i <= 6; i++) {
                if (!data[`box_${i}`]) {
                    allTrue = false;
                    break;
                }
            }

            if (allTrue && data.flag) {
                // Hide main content and show flag
                document.querySelector(".main-content").style.display = "none";
                document.querySelector(".flag-container").style.display = "block";
                document.querySelector(".flag-container h1").textContent = data.flag;
            } else {
                // Update checkboxes (only the first 6)
                for (let i = 1; i <= 6; i++) {
                    const checkbox = document.getElementById(`box_${i}`);
                    if (checkbox) {
                        checkbox.checked = data[`box_${i}`];
                    }
                }
            }
        })
        .catch((error) => console.error("Error:", error));
}

// Initial update
updateCheckboxes();

// Poll every 3 seconds
setInterval(updateCheckboxes, 3000);

There's a GET request to /poll and sure enough, if we check the HTTP history in burp we see lots of requests, all returning false.

{
    "box_1": false,
    "box_2": false,
    "box_3": false,
    "box_4": false,
    "box_5": false,
    "box_6": false
}

Realised there is another endpoint /interesting which just says hello on the page. After visiting this page, I discovered that box_1 and box_2 are now ticked 🤔

Ah OK, I change the request method to POST on the /interesting endpoint and the second box is now checked! I try the OPTIONS method and box_5 is ticked. We have 3 more to go 🙏

Tried various HTTP methods, eventually ticked the remaining boxes with:

PATCH
PUT
DELETE

We hit the /poll endpoint again and get the flag!

{
    "box_1": true,
    "box_2": true,
    "box_3": true,
    "box_4": true,
    "box_5": true,
    "box_6": true,
    "flag": "flag{bd399cb9c3a8b857588d8e13f490b6fd}"
}

Flag: flag{bd399cb9c3a8b857588d8e13f490b6fd}