Tags: node.js 

Rating:

# ▼▼▼SimpleWeb(Web132pts)132/146=90.4%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

**【Environment】**

I built an environment of Node.js

**【Extract only necessary parts in source code and fix】**

```
//var net = require('net');

flag='fake_flag';

ok = true;
//data="1 33.75 80.75 81.75 97.25";
arr = data.toString().split(' ');
arr = arr.map(Number);
console.log(arr);

if (arr.length != 5)
ok = false;
arr1 = arr.slice(0);
arr1.sort();
for (var i=0; i<4; i++)
if (arr1[i+1] == arr1[i] || arr[i] < 0 || arr1[i+1] > 127)
ok = false;
arr2 = []
for (var i=0; i<4; i++){
arr2.push(arr1[i] + arr1[i+1]);

console.log(i);
console.log(arr1[i],arr1[i+1]);
console.log(arr2);
}
val = 0;

//----

//arr2=[35,51,35,51];・・・・・・・・・・・①
//arr2=[34.75,114.5,162.5,179];

console.log(arr2);

for (var i=0; i<4; i++){
val = val * 0x100 + arr2[i];
console.log("val:"+val);
}

console.log("gol:"+0x23332333);

if (val != 0x23332333)
ok = false;
if (ok)
console.log(flag+'\n');
else
console.log('nope\n');
```

---

**【Apply an integer manually so as not to exceed the value from before at local environment】**

arr2=[35,0,0,0];

arr2=[35,51,0,0];

arr2=[35,51,35,0];

arr2=[35,51,35,51];

It was not in descending order of value

---

**【Manually search so that the values are in descending order Considering decimals】**

arr2=[34.75,0,0,0];

arr2=[34.75,114.5,0,0];

arr2=[34.75,114.5,162.5,0];

arr2=[34.75,114.5,162.5,179];

OK

---

**【Find arr1 from arr2 at local environment】**

[34.75,114.5,162.5,179];

↓ in descending order

[ 1, 33.75, 80.75, 81.75, 97.25 ]

---

**【Just to be sure running in a local environment】**

```
[ 1, 33.75, 80.75, 81.75, 97.25 ]
0
1 33.75
[ 34.75 ]
1
33.75 80.75
[ 34.75, 114.5 ]
2
80.75 81.75
[ 34.75, 114.5, 162.5 ]
3
81.75 97.25
[ 34.75, 114.5, 162.5, 179 ]
[ 34.75, 114.5, 162.5, 179 ]
val:34.75
val:9010.5
val:2306850.5
val:590553907
gol:590553907
fake_flag
```

OK

---

**【Enter into production environment】**

1, 33.75, 80.75, 81.75, 97.25

`*ctf{web_chal_made_by_binary_players_lol}`