Tags: js misc web
Rating:
/[a-z().]/
===
```js
if (code && code.length < 200 && !/[^a-z().]/.test(code)) {
try {
const result = vm.runInNewContext(code, {}, { timeout: 500 });
if (result === 1337) {
output = process.env.FLAG;
} else {
output = 'nope';
}
} catch (e) {
output = 'nope';
}
} else {
output = 'nope';
}
```
We have to create a payload that when ran in the context will return 1337. My first solution was:
`escape.name.concat(eval.length).repeat(eval.name.concat(eval).repeat(eval.name.concat(eval.length).length).concat(escape.name).length).length` which is 141 characters long. It uses factorization of 1337 which is 7*191
Then I improved it to:
`escape.name.concat(eval.length).repeat(escape(escape(escape(escape(escape(escape(escape(unescape))))))).length).length` which is 118 characters long
Then I just was poking around and the best I got for 7*191 was:
`console.profile.name.repeat(escape(escape(eval).sup().bold().link().link()).length).length` (90 characters)
However my best payload doesn't use the factorization:
`escape(escape(eval).repeat(escape.name.sup().length)).concat(eval.name.link()).length` and is only **85 characters long!**
One could possibly bruteforce the shortest solution but no fun there! :)
The flag:
**HarekazeCTF{sorry_about_last_year's_js_challenge...}**
