Tags: node.js
Rating:
# ▼▼▼SimpleWeb(Web132pts)132/146=90.4%▼▼▼
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**
**【Environment】**
I built an environment of Node.js
**【Extract only necessary parts in source code and fix】**
```
//var net = require('net');
flag='fake_flag';
ok = true;
//data="1 33.75 80.75 81.75 97.25";
arr = data.toString().split(' ');
arr = arr.map(Number);
console.log(arr);
if (arr.length != 5)
ok = false;
arr1 = arr.slice(0);
arr1.sort();
for (var i=0; i<4; i++)
if (arr1[i+1] == arr1[i] || arr[i] < 0 || arr1[i+1] > 127)
ok = false;
arr2 = []
for (var i=0; i<4; i++){
arr2.push(arr1[i] + arr1[i+1]);
console.log(i);
console.log(arr1[i],arr1[i+1]);
console.log(arr2);
}
val = 0;
//----
//arr2=[35,51,35,51];・・・・・・・・・・・①
//arr2=[34.75,114.5,162.5,179];
console.log(arr2);
for (var i=0; i<4; i++){
val = val * 0x100 + arr2[i];
console.log("val:"+val);
}
console.log("gol:"+0x23332333);
if (val != 0x23332333)
ok = false;
if (ok)
console.log(flag+'\n');
else
console.log('nope\n');
```
---
**【Apply an integer manually so as not to exceed the value from before at local environment】**
arr2=[35,0,0,0];
↓
arr2=[35,51,0,0];
↓
arr2=[35,51,35,0];
↓
arr2=[35,51,35,51];
↓
It was not in descending order of value
---
**【Manually search so that the values are in descending order Considering decimals】**
arr2=[34.75,0,0,0];
↓
arr2=[34.75,114.5,0,0];
↓
arr2=[34.75,114.5,162.5,0];
↓
arr2=[34.75,114.5,162.5,179];
↓
OK
---
**【Find arr1 from arr2 at local environment】**
[34.75,114.5,162.5,179];
↓ in descending order
[ 1, 33.75, 80.75, 81.75, 97.25 ]
---
**【Just to be sure running in a local environment】**
```
[ 1, 33.75, 80.75, 81.75, 97.25 ]
0
1 33.75
[ 34.75 ]
1
33.75 80.75
[ 34.75, 114.5 ]
2
80.75 81.75
[ 34.75, 114.5, 162.5 ]
3
81.75 97.25
[ 34.75, 114.5, 162.5, 179 ]
[ 34.75, 114.5, 162.5, 179 ]
val:34.75
val:9010.5
val:2306850.5
val:590553907
gol:590553907
fake_flag
```
↓
OK
---
**【Enter into production environment】**
1, 33.75, 80.75, 81.75, 97.25
↓
`*ctf{web_chal_made_by_binary_players_lol}`