ASIS Finals 2014 – Match the pair (Web/PPC 200)

October 13, 2014

Description

Play 40 levels of the game quickly in order to get the authorization to see the flag

screenshot_match_the_pair

Match the pair is a traditional concentration mage and the user has to find eight image pairs containing a circle with the same color. The game logic is handled server side and the HTML code gives no hints for the pairs. The server randomly generates the images and if you request the image multiple times, the server generates different images but the color within the circle is equal.

You can play this game by hand and if you successfully found all eight pairs, a new level with new pairs starts. Eventually if you solved 40 levels successfully, the game rewards you with a flag. Depending on your talent, in practice the game resets the level count while you play the second or third level.

To circumvent this our first try automating the game was to simply brute force the game and compare the first image with the second, third … until we find a pair. Doing it that way was still not successful.

Looking a bit further into the game

As already, tolled above, the images are generated server side and their URL is http://asis-ctf.ir:12443/pic/{0..15}. If a player uncovers two images, let us say 3 and 12, game logic sends an Ajax request with the URL http://asis-ctf.ir:12443/send?first=3&second=12 to validate the pair. The server responds with “f” in case the pair does not match or “ok” if the pair matches.

Playing around with this validation API, we recognized that the server always responds with “ok” if we set the same value for the parameter first and second (e.g. http://asis-ctf.ir:12443/send?first=0&second=0). Always? No! The server only responds seven times with “ok” but the eighth time with “done”. Looking in the JavaScript of the game you will see that the game logic reloads the page after it received a “done”. Doing it manually in the browser, you see that you reached the second level. WOOHO! Let’s try again! Seven Requests to the send API, seven times “ok”, eighth request “done”, reload and welcome to level three.

Let’s automate!

We simply took parts of the games JavaScript, modified it a bit and created a recursive function that plays us some levels through requesting eight times the send API and then simulating a page reload.

function recurse(i, c) {
  $.ajax({
    url: '/send',
    data: {
      'first': 0,
      'second': 0
    },
    timeout: 5000,
    success: function (data) {
      if (data != 'f' && data != 'ok' && data != 'done') {
        alert(data);
        return;
      } else {
        if (i == 7) {
          if (++c != 41) {
            var xhr = new XMLHttpRequest();
            xhr.open('GET', '/', false);
            xhr.send();
            console.log('Reached level ' + c);
            recurse(0, c);
          } else {
            location.reload();
          }
        } else {
          recurse(i + 1, c);
        }
      }
    },
    error: function (jqXHR, textStatus, errorThrown) {
      console.log(JSON.stringify(jqXHR) + ' ' + textStatus + '  ' + errorThrown);
    }
  });
}
recurse(0, 1);

Passing this code into the JavaScript console of your browser and waiting some time will result in an alert telling you to visit http://asis-ctf.ir:12443/flag.

screenshot_match_the_pair_alert

On this page, the flag ASIS_28ca740e382225131fc0501d38cf5d30 rewards your efforts.

Possible alternative solution

If you do not want to cheat the game, you have to put some more efforts in analyzing the images. It turned out that the images are PNG images with indexed colors. Thereby the ninth color seems to be the color of the circle for every image. So you only have to download all images, extract the color of the circle and then you can play the game with the true pairs.

However, hackers are lazy…

Leave a Reply