warmup/whamazon
- Author
-
n nalo_ - Category
-
warmup
This challenge is a huge classic. When starting up the container, we can access to a site that looks like a terminal. In fact, after inspection, we can find that the site is using gotty, an app to reflect your terminal on the web.
The challenge is quite simple: we are on a shop, with a fixed amount of money. We can buy random items, and some are too expensive for our wallet. One of the items is quite litteraly The Flag.
Of course, when we try to buy it, it is too expensive ($1’000’000’000). The goal is to manipulate the amount of our wallet so that we can buy the flag.
Unfortunately, as the website is only a reflection of the server’s terminal, we can’t edit the amount from a javascript variable on client-side.
When trying to buy an affordable item, we can see the operation that calculate the amount of money to remove from your wallet, based on the price and the quantity:
However, there’s no check for minus quantity. It’d result on a negative substraction from our wallet. In simpler terms, adding money.
We now have enough money to buy the flag! The shop doesn’t want to give it so easily, so we have to beat it to a rock-paper-scisor game.
We can then go back to the menu and see the content of the inventory to see the flag.
misc/malibu
- Category
-
misc
TODO