1048576

Published on: February 1, 2025

4 min read · Posted by Baba is Dead

Challenge Details

Description

Category

Web Exploitation

Difficulty

Medium

Topics

SQL Injection

Event

Author

Baba is Dead

Baba got too good at 2048, so he decided to create his own 2048 game. Can you beat his high score?

Writeup

Prototype Pollution Exploit in backend/index.js

This challenge involved a 2048 Rip Off. Players had to obtain an impossible high score, the score being the sum of all the blocks on the 2048 grid. Main Page

This challenge involves exploiting a prototype pollution vulnerability in the backend code.

Prototype Pollution

The vulnerability occurs because the indices x and y in grid[cell.x][cell.y] are not validated. A hacker can set cell.x to "__proto__" and cell.y to any value, effectively polluting the array's prototype.

grid[cell.x][cell.y]

Bypassing the Checks

The following code checks each cell in the grid to ensure no values exceed 2048 and that all are numbers. However, it only checks items that are part of the array, so polluted values (e.g., those on the prototype) will not be caught by these checks:

for (var row of grid) {
    for (var cell of row) {
        if (cell > 2048 || typeof cell != "number") {
            console.log("Hey! No Cheating :C")
            process.exit(1);
        }
    }
}

Exploiting the Vulnerability

The vulnerability can be exploited by leveraging the prototype pollution in a specific part of the code where the grid is initialized:

for (var i = 0; i < size; i++) {
    var row = []
    for (var j = 0; j < size; j++) {
        row.push(0)
    }
    grid.push(row)
}
...
var score = 0
for (var i = 0; i < 4; i++) {
    for (var j = 0; j < 4; j++) {
        score += grid[i][j]
    }
}

If the size variable is set to less than 4, the loop will attempt to access indices outside the bounds of the array. We can pollute these bounds with our payload. The payload needs to allow us to increase the score and also be an iterable so that grid[i][j] does not return an undefined value. A string, such as "1111", can be used for this purpose.

Flag

Exploiting this vulnerability would allow you to bypass the checks and manipulate the score to achieve the desired outcome.

The flag for this challenge is:

ISC2CTF{I_4M_50_9ood_47_5UdoKu}

Afterword

Whats a good CTF without some PP? The main frontend source code credit goes to this codepen I found online.

Additional Resources

Front End Source Code

Prototype Pollution

Please login to comment

Comments

No comments yet