WM02 - 250pts
Last updated
Was this helpful?
Last updated
Was this helpful?
View the page at and try to get the flag.
Looking at the source code we see an h1
tag with data attributes: <h1 id="user" data-user-name="henrywhite" data-user-id="152874" data-user-ref="c897cd08c105c0eff5ca296f56eaa4ab">Hello henrywhite!</h1>
Changing the data-user-name
to admin
changes the text to User data error
.
Looking at /site.js
we see that checkUser()
is called every second using setInterval
at the bottom of the file. The following if
statement contains the logic we can take advantage of: if (get("user").dataset['userRef'] === hash(get("user").dataset['userName'] + "_" + get("user").dataset['userId']).split("").reverse().join("")) {
. We can change the data-user-name
to admin
and then run hash(document.getElementById("user").dataset['userName'] + "_" + document.getElementById("user").dataset['userId']).split("").reverse().join("")
to get the data-user-ref
to be 1dc3b8bdbf88d16df8a767eacb86f14c
. However, pasting this in causes the site to say Invalid user
.
The solution is to also change data-user-id
so it equals "0"
. The final HTML should look this this: <h1 id="user" data-user-id="0" data-user-name="admin" data-user-ref="31f7934415f3d31c64359bd51d378177">Hello admin!</h1>
You can get the data-user-ref
after changing data-user-id="0" data-user-name="admin"
and then running hash(document.getElementById("user").dataset['userName'] + "_" + document.getElementById("user").dataset['userId']).split("").reverse().join("")
.
Replacing the HTML as discussed above prints the flag.
epoch_wizard