🌐 Javascript Puzzle

A detailed write-up of the Web challenge 'Javascript Puzzle' from WolvCTF - 2025

mH4ck3r0n3 Ethical Hacking/CTFs/Jeopardy/WolvCTF-2025/Web

23/03/2025 469 words 3 minutes

Contents

/images/WolvCTF-2025/Web/JavascriptPuzzle/challenge_presentation.png — Challenge Presentation

📊 Challenge Overview

Category Details Additional Info

🏆 Event WolvCTF - 2025 Event Link

🔰 Category Web 🌐

💎 Points 499 Out of 500 total

⭐ Difficulty 🟢 Easy Personal Rating: 1/10

👤 Author SamXML Profile

🎮 Solves (At the time of flag submission) 7 solve rate

📅 Date 22-03-2025 WolvCTF - 2025

🦾 Solved By mH4ck3r0n3 Team: QnQSec

Category	Details	Additional Info
🏆 Event	WolvCTF - 2025	Event Link
🔰 Category	Web	🌐
💎 Points	499	Out of 500 total
⭐ Difficulty	🟢 Easy	Personal Rating: 1/10
👤 Author	SamXML	Profile
🎮 Solves (At the time of flag submission)	7	solve rate
📅 Date	22-03-2025	WolvCTF - 2025
🦾 Solved By	mH4ck3r0n3	Team: QnQSec

📝 Challenge Information

It is often useful to force exceptions to potentially get back valuable information. Can you make a request which causes an exception in this app? https://js-puzzle-974780027560.us-east5.run.app

🎯 Challenge Files & Infrastructure

Provided Files

Files:

Attached Files

🔍 Initial Analysis

First Steps

Initially, the website appears as follows:

Site Presentation

since there wasn’t much of interest, I decided to analyze the attached files. This challenge consisted of generating an exception by passing a parameter in the request:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
app.get('/', (req, res) => {  
   try {  
       const username = req.query.username || 'Guest'  
       const output = 'Hello ' + username  
       res.send(output)  
   }  
   catch (error) {  
       res.sendFile(__dirname + '/flag.txt')  
   }  
})  
as we can see, by generating a simple exception, we will obtain a flag. Let’s see how.

🎯 Solution Path

Exploitation Steps

Initial setup

Surely, a special parameter needs to be sent. Initially, I thought of sending an array, like username[]=a, for example, but this doesn’t work. Let’s move on to the exploitation phase.

Exploitation

Then I thought of passing username[toString], since JavaScript will interpret req.query.username as an object:
1
{ toString:  }  
however, in this case, we can override the toString method, since it is an object. In fact, we can send username[toString]=1. When it gets concatenated with a string ('Hello ' + username), the JavaScript engine tries to convert username into a string using its toString() method. But in this case, toString is overridden with a number (1), so when it is internally called as a function, the server throws an error. By doing this, I triggered the exception and consequently obtained the flag.

Flag capture

Manual Flag

🛠️ Exploitation Process

Approach

The automatic exploit performs a GET request by passing the parameter username[toString]=1, as we saw earlier, and then prints the flag.

Exploit

🚩 Flag Capture

Flag

wctf{3xc3pt10n5_4r3_y0ur_fr13nd_14285137553}

Proof of Execution

Automated Flag

Screenshot of successful exploitation

🔧 Tools Used

Tool Purpose

Python Exploit

Tool	Purpose
Python	Exploit

💡 Key Learnings

New Knowledge

I learned how to generate an exception with JavaScript objects.

Skills Improved

Binary Exploitation

Reverse Engineering

Web Exploitation

Cryptography

Forensics

OSINT

Miscellaneous

📚 References & Resources

Learning Resources

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/toString

https://www.invicti.com/blog/web-security/string-concatenation-format-string-vulnerabilities/

📊 Final Statistics

Metric	Value	Notes
Time to Solve	00:05	From start to flag
Global Ranking (At the time of flag submission)	3/318	Challenge ranking
Points Earned	499	Team contribution

Created: 22-03-2025 • Last Modified: 22-03-2025 Author: mH4ck3r0n3 • Team: QnQSec