This challenge is the version 2 of the dont-use-client-side challenge. So the first thing I did was inspect the page source:
Page Source
As we can see, it contains an obfuscated js script. I used https://unminify.com/ to format the code:
Unminify
From the cleaner code, we can see that the list _0x5a46 contains the plaintext, so the flag is easily deducible. In fact, there aren’t many combinations, and with a bit of intuition, you can reconstruct it directly. However, just for fun, I performed a full reverse of what the code does to arrive at the construction of the flag.
🎯 Solution Path
Exploitation Steps
Initial setup
I wrote a script that “reverses” the obfuscation and verification logic of the JavaScript code, reconstructing the flag step by step and verifying that it satisfies all the conditions imposed by the JS code.
Exploitation
The script starts with the original array and rotates it 5 times (since 435 modulo 10 = 5). Then, it defines the function _0x4b5b, which maps hexadecimal indices (e.g., "0x3") to the corresponding element in the rotated array. Using the _0x4b5b function, the script retrieves the segments used in the JavaScript check:
"picoCTF{" (from "0x3")
"not_this" (from "0x4")
"_again_3" (from "0x6")
"37115}" (from "0x5")
"this" (from "0x7")
The script creates a placeholder list for a 30-character flag and fills it according to the substring conditions from the JavaScript code (including overlapping parts like "F{not" and literal characters "oCT", "{n"). This process simulates the reversal of the control logic. In the end, the script checks if the candidate string meets every condition set by the JS code. If all conditions are satisfied, the flag is returned. For verification, I directly used the js function from the website to check the final correctness of the flag.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automatic exploit does exactly the procedure described above.
