The challenge takes the url query string and parses it in blocks of 4 characters.
4 characters in each block are parsed as dest, fn, arg1, arg2 respectively
Then we have the env variable which has 4 parts

```
let env = {
a: (x, y) => x[y],
b: (x, y) => x + y,
c: (x) => !x,
d: []
};
```

The following code is executed after parsing each block.
`env[dest] = env[ fn ]( env[ arg1 ] , env[ arg2 ] )`

Our goal here is do a alert(1).
Since all we can do are operations on env only using functions inside env with arguments also from env
We will try to do

`env["b"].constructor("alert(1)")()`

Now we need to get the strings "constructor" and "alert(1)" inside env, since our input doesn't directly go into env we need to build the string with the operations provided.
This is where weird javascript quirks help

```
!( [ ] ) => false
!( false ) => true
false + [ ] => "false"
true + [ ] => "true"
"false" + "true"
```

Now our alphabet is `"falsetrue"`

We can get the string "undefined" by trying to read a key that does not exist
Now our alphabet is `"falsetrueundefined"`

By adding a function to a string
`env[a] + [ ] => "(x, y) => x[y]"`

Now our alphabet is `"falsetrueundefined(x, y) => x[y]"`
We can build "alert( )" using these alphabets

To build the string we need to access characters via array index, therefore we need numbers of index we want to access inside env.
We can do this by adding boolean

```
true + true => 2
true + false => 1
1 + true => 3
```

Using above we can access all indexes and we can build the string "alert(1)"
Now to build the string "constructor" we need the character "c" and "o" which we don't have in our alphabet "falsetrueundefined(x, y) => x[y]"
We can get this by env.d which is an array, we can build "flat" using our alphabets

`[ ]["flat"] + [ ] => "function flat() { [native code] }"`

so now our alphabet is `"falsetrueundefined(x, y) => x[y]function flat() { [native code] }"`
we can use this to build "constructor" similarly as we did "alert(1)"

and then finally do this operation
`env[ b ][ "constructor" ]([ ],"alert(1)")([ ],[ ])`

?12345fcddfbdftceefbftfbfgxbfafcta1bftpax12bttzax2pbpz4b22zax4pbpz6b24zax6pbpz5b14zax5pbpznb66nb6nzaxnpbpzpbp1nbn5zaxnpbpznb66nb1nzaxn3b21qax2qbzqzax1qbqzzax5qbqzzadqybdzqay3zay6qbqzzay2qbqzzax3qbqzzax5qbqzrax6qbqruay1qbquuay3qbquqbqzzay6qbqzqbqrcaaqecdpeedd
(I did not save the final payload during the ctf and the organizer took the challenge down while I was writing, this is missing the last few steps )