Javascript on System Overlordhttps://systemoverlord.com/tags/javascript.htmlRecent content in Javascript on System OverlordHugoen-usdavid@systemoverlord.com (David Tomaschik)david@systemoverlord.com (David Tomaschik)Mon, 02 Jun 2014 03:43:33 +0000Secuinside Quals 2014: Javascript Jail (Misc 200)https://systemoverlord.com/2014/06/02/secuinside-quals-2014-javascript-jail/Mon, 02 Jun 2014 03:43:33 +0000david@systemoverlord.com (David Tomaschik)https://systemoverlord.com/2014/06/02/secuinside-quals-2014-javascript-jail/<p>The challenge was pretty straightforward: connect to a service that&rsquo;s running a Javascript REPL, and extract the flag. You were provided a check function that was created by the checker function given below:</p> <pre><code>#!javascript function checker(flag, myRand) { return function (rand) { function stage1() { var a = Array.apply(null, new Array(Math.floor(Math.random() * 20) + 10)).map(function () {return Math.random() * 0x10000;}); var b = rand(a.length); if (!Array.isArray(b)) { print(&quot;You're a cheater!&quot;); return false; } if (b.length &lt; a.length) { print(&quot;hmm.. too short..&quot;); for (var i = 0, n = a.length - b.length; i &lt; n; i++) { delete b[b.length]; b[b.length] = [Math.random() * 0x10000]; } } else if (b.length &gt; a.length) { print(&quot;hmm.. too long..&quot;); for (var i = 0, n = b.length - a.length; i &lt; n; i++) Array.prototype.pop.apply(b); } for (var i = 0, n = b.length; i &lt; n; i++) { if (a[i] != b[i]) { print(&quot;ddang~~&quot;); return false; } } return true; } function stage2() { var a = Array.apply(null, new Array((myRand() % 20) + 10)).map(function () {return myRand() % 0x10000;}); var b = rand(a.length); if (!Array.isArray(b)) { print(&quot;You're a cheater!&quot;); return false; } if (b.length &lt; a.length) { print(&quot;hmm.. too short..&quot;); for (var i = 0, n = a.length - b.length; i &lt; n; i++) { delete b[b.length]; b[b.length] = [Math.random() * 0x10000]; } } else if (b.length &gt; a.length) { print(&quot;hmm.. too long..&quot;); for (var i = 0, n = b.length - a.length; i &lt; n; i++) Array.prototype.pop.apply(b); } for (var i = 0, n = b.length; i &lt; n; i++) { if (a[i] != b[i]) { print(&quot;ddang~~&quot;); return false; } } return true; } print(&quot;stage1&quot;); if (!stage1()) return; print(&quot;stage2&quot;); if (!stage2()) return; print(&quot;awesome!&quot;); return flag; }; } </code></pre> <p>As you can tell, there are two nearly identical stages that create an array of random length (10-30) consisting of random values. The only difference is in how the random values are generated: once from Math.random, and, in stage 2, from a function provided by the factory function. This function was not available to us to reverse the functionality of.</p>