WM02 - 250pts
Last updated
Was this helpful?
Last updated
Was this helpful?
View the page at and try to get the flag.
Looking at the source code we see an h1 tag with data attributes: <h1 id="user" data-user-name="henrywhite" data-user-id="152874" data-user-ref="c897cd08c105c0eff5ca296f56eaa4ab">Hello henrywhite!</h1>
Changing the data-user-name to admin changes the text to User data error.
Looking at /site.js we see that checkUser() is called every second using setInterval at the bottom of the file. The following if statement contains the logic we can take advantage of: if (get("user").dataset['userRef'] === hash(get("user").dataset['userName'] + "_" + get("user").dataset['userId']).split("").reverse().join("")) {. We can change the data-user-name to admin and then run hash(document.getElementById("user").dataset['userName'] + "_" + document.getElementById("user").dataset['userId']).split("").reverse().join("") to get the data-user-ref to be 1dc3b8bdbf88d16df8a767eacb86f14c. However, pasting this in causes the site to say Invalid user.
The solution is to also change data-user-id so it equals "0". The final HTML should look this this: <h1 id="user" data-user-id="0" data-user-name="admin" data-user-ref="31f7934415f3d31c64359bd51d378177">Hello admin!</h1> You can get the data-user-ref after changing data-user-id="0" data-user-name="admin" and then running hash(document.getElementById("user").dataset['userName'] + "_" + document.getElementById("user").dataset['userId']).split("").reverse().join("").
Replacing the HTML as discussed above prints the flag.
epoch_wizard