KringleCon 4: Four Calling Birds WriteUp - Slot Machine Investigation
Posted: Jan 13, 2022 | ~ 1 min read time#ctf #kringlecon-2021 #web
Objective: Slot Machine Investigation
Test the security of Jack Frost’s slot machines. What does the Jack Frost Tower casino security team threaten to do when your coin total exceeds 1000? Submit the string in the server data.response element.
In this challenge, we’re given a link to Jack Frost’s slot machine and told to collect more than 1000 coins. We start out with 100 coins but just casually playing the slots makes it clear this machine favors the house.
It’s obvious we’re expected to “hack” the game so I opened up the dev tools of the browser to see the requests and responses.
There wasn’t anything in the headers to adjust but the request parameters appeared to change with each spin. It took me a while to figure out Chrome doesn’t allow you to edit and resend requests - but Firefox has that feature built-in. Once I switched to Firefox, I was able to play around with the betamount, numline, and cpl.
Any changes to betamount had to correspond to what was already known - I couldn’t bet 300 coins if I only had 200 coins. Otherwise, I would get an error response.
The parameter numline would error out if I chose random numbers and it didn’t appear to make a difference to the winning amount.
However, the cpl parameter seemed to be less finicky. After a couple tests, I learned negative numbers were accepted by the parameter and gave me extra coins!
Here we can see my coin count is now above 1000!
And in the response, there’s the secret message we’ve been looking for:
To see my other writeups for this CTF, check out the tag #kringlecon-2021.