{"componentChunkName":"component---src-templates-post-template-js","path":"/ctf-tsg-live6-en","result":{"data":{"markdownRemark":{"id":"eebbd484-094e-5abb-8372-b35dfa7a8b39","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/ctf-tsg-live6\">original page</a>.</p>\n</blockquote>\n<h2 id=\"introduction\" style=\"position:relative;\"><a href=\"#introduction\" aria-label=\"introduction permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Introduction</h2>\n<p>The web challenge ”<a href=\"https://github.com/tsg-ut/tsg-live-ctf-6/blob/main/web/truth-about-pi\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Truth about Pi</a>” from TSG LIVE! 6 CTF taught me a lot, so I want to summarize what I learned in the form of a writeup and memo.</p>\n<p>At first I assumed it was an injection challenge, so I kept falling deeper and deeper into a rabbit hole.</p>\n<p>These are notes from the serious studying I did afterward, partly as a reminder to myself.</p>\n<h2 id=\"writeup\" style=\"position:relative;\"><a href=\"#writeup\" aria-label=\"writeup permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>WriteUp</h2>\n<p>When you access the challenge server, you see a page built with the koa framework.</p>\n<p>After reading the provided challenge code, I found that the following section processes the input value, and that the flag is output when the final value of <code class=\"language-text\">digit</code> becomes <code class=\"language-text\">0</code>.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>ctx<span class=\"token punctuation\">.</span>method <span class=\"token operator\">===</span> <span class=\"token string\">'POST'</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\t<span class=\"token keyword\">const</span> <span class=\"token punctuation\">{</span> index <span class=\"token punctuation\">}</span> <span class=\"token operator\">=</span> ctx<span class=\"token punctuation\">.</span>request<span class=\"token punctuation\">.</span>body<span class=\"token punctuation\">;</span> <span class=\"token comment\">// 1</span>\n    <span class=\"token keyword\">const</span> pi <span class=\"token operator\">=</span> Math<span class=\"token punctuation\">.</span><span class=\"token constant\">PI</span><span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> \t\t<span class=\"token comment\">// 2</span>\n    <span class=\"token keyword\">const</span> digit <span class=\"token operator\">=</span> <span class=\"token function\">parseInt</span><span class=\"token punctuation\">(</span><span class=\"token function\">get</span><span class=\"token punctuation\">(</span>pi<span class=\"token punctuation\">,</span> index<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span> <span class=\"token comment\">//3</span>\n    content <span class=\"token operator\">=</span> <span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">\n\t\t&lt;h1>円周率の</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>index<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">桁目は</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>digit<span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">です！&lt;/h1>\n\t\t</span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>digit <span class=\"token operator\">===</span> <span class=\"token number\">0</span> <span class=\"token operator\">?</span> <span class=\"token template-string\"><span class=\"token template-punctuation string\">`</span><span class=\"token string\">&lt;p></span><span class=\"token interpolation\"><span class=\"token interpolation-punctuation punctuation\">${</span>process<span class=\"token punctuation\">.</span>env<span class=\"token punctuation\">.</span><span class=\"token constant\">FLAG</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">&lt;/p></span><span class=\"token template-punctuation string\">`</span></span> <span class=\"token operator\">:</span> <span class=\"token string\">''</span><span class=\"token interpolation-punctuation punctuation\">}</span></span><span class=\"token string\">\n\t</span><span class=\"token template-punctuation string\">`</span></span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The final solution request that retrieves the flag is:</p>\n<div class=\"gatsby-highlight\" data-language=\"text\"><pre class=\"language-text\"><code class=\"language-text\">curl -X POST -d \"index=toString.length\" http://localhost:3000</code></pre></div>\n<p>Let’s trace through exactly why this request works.</p>\n<h2 id=\"1-receiving-the-post-request\" style=\"position:relative;\"><a href=\"#1-receiving-the-post-request\" aria-label=\"1 receiving the post request permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>1. Receiving the POST Request</h2>\n<p>First, let’s look at <code class=\"language-text\">const { index } = ctx.request.body;</code>, which runs immediately after the POST request is received.</p>\n<p>The body of the submitted POST request is parsed into an object by <a href=\"https://github.com/koajs/bodyparser\" target=\"_blank\" rel=\"nofollow noopener noreferrer\"><strong>koa-bodyparser</strong></a>.</p>\n<p>Reading the module’s source code, it appears the body is ultimately returned as JSON-parsed data. As a result, the value of <code class=\"language-text\">\"index\"</code> is stored in the <code class=\"language-text\">const</code> variable <code class=\"language-text\">index</code> via destructuring assignment.</p>\n<p>Due to the parsing process, any value the user submits will always become a String object — it is not possible to send a Number object.</p>\n<p>As a side note (unrelated to this challenge), if you define <code class=\"language-text\">\"index\"</code> multiple times in a POST request, it is stored in <code class=\"language-text\">index</code> as an Array object.</p>\n<h2 id=\"2-setting-up-pi\" style=\"position:relative;\"><a href=\"#2-setting-up-pi\" aria-label=\"2 setting up pi permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>2. Setting Up Pi</h2>\n<p>The value of pi, <code class=\"language-text\">\"3.141592653589793\"</code>, is converted to a String object and stored in the variable <code class=\"language-text\">pi</code>.</p>\n<p>(If only <code class=\"language-text\">Math.PI</code> gave us a longer precision, none of this would have been a puzzle at all…)</p>\n<h2 id=\"3-making-digit-0\" style=\"position:relative;\"><a href=\"#3-making-digit-0\" aria-label=\"3 making digit 0 permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>3. Making digit 0</h2>\n<p>After steps 1 and 2, both variables <code class=\"language-text\">index</code> and <code class=\"language-text\">pi</code> contain String objects.</p>\n<p>From here, we need to find an input value that makes <code class=\"language-text\">parseInt(get(pi, index))</code> return <code class=\"language-text\">0</code>.</p>\n<p>First, the outermost <code class=\"language-text\">parseInt()</code> simply converts a string to a number, so we don’t need to think too hard about it. The real question is: what input makes <code class=\"language-text\">get(pi, index)</code> return the string <code class=\"language-text\">'0'</code>?</p>\n<p>Looking at the challenge code, <code class=\"language-text\">get</code> is defined as <code class=\"language-text\">const get = require('lodash.get');</code>, so let’s look at the <code class=\"language-text\">lodash.get</code> source.</p>\n<p>The third argument <code class=\"language-text\">defaultValue</code> defines the return value when <code class=\"language-text\">result</code> is <code class=\"language-text\">null</code>. Unfortunately, there is no way to pass that argument in this challenge.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">get</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">object<span class=\"token punctuation\">,</span> path<span class=\"token punctuation\">,</span> defaultValue</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">const</span> result <span class=\"token operator\">=</span> object <span class=\"token operator\">==</span> <span class=\"token keyword\">null</span> <span class=\"token operator\">?</span> <span class=\"token keyword\">undefined</span> <span class=\"token operator\">:</span> <span class=\"token function\">baseGet</span><span class=\"token punctuation\">(</span>object<span class=\"token punctuation\">,</span> path<span class=\"token punctuation\">)</span>\n  <span class=\"token keyword\">return</span> result <span class=\"token operator\">===</span> <span class=\"token keyword\">undefined</span> <span class=\"token operator\">?</span> defaultValue <span class=\"token operator\">:</span> result\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>In the code above, the variable <code class=\"language-text\">pi</code> is passed as <code class=\"language-text\">object</code> and <code class=\"language-text\">index</code> as <code class=\"language-text\">path</code>.</p>\n<p>This means <code class=\"language-text\">baseGet</code> is called. Let’s look at that too.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">function</span> <span class=\"token function\">baseGet</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">object<span class=\"token punctuation\">,</span> path</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  path <span class=\"token operator\">=</span> <span class=\"token function\">castPath</span><span class=\"token punctuation\">(</span>path<span class=\"token punctuation\">,</span> object<span class=\"token punctuation\">)</span>\n\n  <span class=\"token keyword\">let</span> index <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n  <span class=\"token keyword\">const</span> length <span class=\"token operator\">=</span> path<span class=\"token punctuation\">.</span>length\n\n  <span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>object <span class=\"token operator\">!=</span> <span class=\"token keyword\">null</span> <span class=\"token operator\">&amp;&amp;</span> index <span class=\"token operator\">&lt;</span> length<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    object <span class=\"token operator\">=</span> object<span class=\"token punctuation\">[</span><span class=\"token function\">toKey</span><span class=\"token punctuation\">(</span>path<span class=\"token punctuation\">[</span>index<span class=\"token operator\">++</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n  <span class=\"token punctuation\">}</span>\n  <span class=\"token keyword\">return</span> <span class=\"token punctuation\">(</span>index <span class=\"token operator\">&amp;&amp;</span> index <span class=\"token operator\">==</span> length<span class=\"token punctuation\">)</span> <span class=\"token operator\">?</span> object <span class=\"token operator\">:</span> <span class=\"token keyword\">undefined</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The first key point here is the <code class=\"language-text\">castPath</code> function.</p>\n<p>Reading the code, when the incoming value is not an array, it is passed to <code class=\"language-text\">stringToPath</code> for conversion into an array:</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">var</span> stringToPath <span class=\"token operator\">=</span> <span class=\"token function\">memoize</span><span class=\"token punctuation\">(</span><span class=\"token keyword\">function</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">string</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  string <span class=\"token operator\">=</span> <span class=\"token function\">toString</span><span class=\"token punctuation\">(</span>string<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token keyword\">var</span> result <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n  <span class=\"token keyword\">if</span> <span class=\"token punctuation\">(</span>reLeadingDot<span class=\"token punctuation\">.</span><span class=\"token function\">test</span><span class=\"token punctuation\">(</span>string<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    result<span class=\"token punctuation\">.</span><span class=\"token function\">push</span><span class=\"token punctuation\">(</span><span class=\"token string\">''</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span>\n  string<span class=\"token punctuation\">.</span><span class=\"token function\">replace</span><span class=\"token punctuation\">(</span>rePropName<span class=\"token punctuation\">,</span> <span class=\"token keyword\">function</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">match<span class=\"token punctuation\">,</span> number<span class=\"token punctuation\">,</span> quote<span class=\"token punctuation\">,</span> string</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n    result<span class=\"token punctuation\">.</span><span class=\"token function\">push</span><span class=\"token punctuation\">(</span>quote <span class=\"token operator\">?</span> string<span class=\"token punctuation\">.</span><span class=\"token function\">replace</span><span class=\"token punctuation\">(</span>reEscapeChar<span class=\"token punctuation\">,</span> <span class=\"token string\">'$1'</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">:</span> <span class=\"token punctuation\">(</span>number <span class=\"token operator\">||</span> match<span class=\"token punctuation\">)</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n  <span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n  <span class=\"token keyword\">return</span> result<span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n\n<span class=\"token keyword\">function</span> <span class=\"token function\">castPath</span><span class=\"token punctuation\">(</span><span class=\"token parameter\">value</span><span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n  <span class=\"token keyword\">return</span> <span class=\"token function\">isArray</span><span class=\"token punctuation\">(</span>value<span class=\"token punctuation\">)</span> <span class=\"token operator\">?</span> value <span class=\"token operator\">:</span> <span class=\"token function\">stringToPath</span><span class=\"token punctuation\">(</span>value<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span></code></pre></div>\n<p>The way that conversion works is the key insight.</p>\n<p><code class=\"language-text\">stringToPath</code> splits the string on <code class=\"language-text\">'.'</code> characters using <code class=\"language-text\">reLeadingDot</code>. So if a string like <code class=\"language-text\">'toString.length'</code> is passed as <code class=\"language-text\">value</code>, the resulting array is split into two elements: <code class=\"language-text\">['toString', 'length']</code>.</p>\n<p>Now back to <code class=\"language-text\">baseGet</code>.</p>\n<p>At this point, the variable <code class=\"language-text\">path</code> holds an array converted from the user-supplied string.</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">let</span> index <span class=\"token operator\">=</span> <span class=\"token number\">0</span>\n<span class=\"token keyword\">const</span> length <span class=\"token operator\">=</span> path<span class=\"token punctuation\">.</span>length\n<span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>object <span class=\"token operator\">!=</span> <span class=\"token keyword\">null</span> <span class=\"token operator\">&amp;&amp;</span> index <span class=\"token operator\">&lt;</span> length<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\tobject <span class=\"token operator\">=</span> object<span class=\"token punctuation\">[</span><span class=\"token function\">toKey</span><span class=\"token punctuation\">(</span>path<span class=\"token punctuation\">[</span>index<span class=\"token operator\">++</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n<span class=\"token punctuation\">}</span>\n<span class=\"token keyword\">return</span> <span class=\"token punctuation\">(</span>index <span class=\"token operator\">&amp;&amp;</span> index <span class=\"token operator\">==</span> length<span class=\"token punctuation\">)</span> <span class=\"token operator\">?</span> object <span class=\"token operator\">:</span> <span class=\"token keyword\">undefined</span></code></pre></div>\n<p>The variable <code class=\"language-text\">object</code> is the return value of <code class=\"language-text\">baseGet</code>, which is therefore also the return value of <code class=\"language-text\">get(pi, index)</code>.</p>\n<p>Let’s trace through the while loop. Here is a modified version that prints intermediate values:</p>\n<div class=\"gatsby-highlight\" data-language=\"javascript\"><pre class=\"language-javascript\"><code class=\"language-javascript\"><span class=\"token keyword\">let</span> index <span class=\"token operator\">=</span> <span class=\"token number\">0</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">let</span> object <span class=\"token operator\">=</span> Math<span class=\"token punctuation\">.</span><span class=\"token constant\">PI</span><span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">const</span> path <span class=\"token operator\">=</span> <span class=\"token punctuation\">[</span><span class=\"token string\">\"toString\"</span><span class=\"token punctuation\">,</span> <span class=\"token string\">\"length\"</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">const</span> length <span class=\"token operator\">=</span> path<span class=\"token punctuation\">.</span>length<span class=\"token punctuation\">;</span>\nconsole<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Before :\"</span> <span class=\"token operator\">+</span> object<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token keyword\">while</span> <span class=\"token punctuation\">(</span>object <span class=\"token operator\">!=</span> <span class=\"token keyword\">null</span> <span class=\"token operator\">&amp;&amp;</span> index <span class=\"token operator\">&lt;</span> length<span class=\"token punctuation\">)</span> <span class=\"token punctuation\">{</span>\n\tobject <span class=\"token operator\">=</span> object<span class=\"token punctuation\">[</span><span class=\"token function\">toKey</span><span class=\"token punctuation\">(</span>path<span class=\"token punctuation\">[</span>index<span class=\"token operator\">++</span><span class=\"token punctuation\">]</span><span class=\"token punctuation\">)</span><span class=\"token punctuation\">]</span>\n  \tconsole<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"Count \"</span> <span class=\"token operator\">+</span> index<span class=\"token punctuation\">.</span><span class=\"token function\">toString</span><span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span> <span class=\"token operator\">+</span> <span class=\"token string\">\": \"</span> <span class=\"token operator\">+</span> object<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span>\n<span class=\"token punctuation\">}</span>\nconsole<span class=\"token punctuation\">.</span><span class=\"token function\">log</span><span class=\"token punctuation\">(</span><span class=\"token string\">\"After :\"</span> <span class=\"token operator\">+</span> object<span class=\"token punctuation\">)</span><span class=\"token punctuation\">;</span></code></pre></div>\n<div class=\"gatsby-highlight\" data-language=\"text\"><pre class=\"language-text\"><code class=\"language-text\">The output is:</code></pre></div>\n<blockquote>\n<p>“Before :3.141592653589793”\n“Count 1: function toString() { [native code] }”\n“Count 2: 0”\n“After :0”</p>\n</blockquote>\n<div class=\"gatsby-highlight\" data-language=\"text\"><pre class=\"language-text\"><code class=\"language-text\">Here is what is happening.\n\nInside the loop, properties are accessed on `object` using bracket notation.\n\nOn the first iteration, accessing the `toString` property on the String object `\"3.14...\"` yields the Function object for `toString`, which is stored in `object`.\n\nOn the second iteration, the code accesses the `length` property of that Function object.\n\nThis was new to me: in JavaScript, the `length` property of a Function object returns the number of parameters the function accepts.\n\nReference: [Function.length - JavaScript | MDN](https://developer.mozilla.org/ja/docs/Web/JavaScript/Reference/Global_Objects/Function/length)\n\nThe `toString` function we accessed takes zero parameters, so `baseGet` returns `0`, `get(pi, index)` also returns `0`, and the flag is printed.\n\n## Summary\n\nAs a side note: for the same reason described above, any zero-parameter function accessible on the String object — such as `valueOf` or `toLowerCase` — can be substituted for `toString` and will also yield the flag.\n\nWeb challenges are not something I tackle often, but I happened to try this one. I had been carefully reading through the library source code, but my shallow understanding of JavaScript's prototype system meant I couldn't reach the flag on my own. Despite that, it was an excellent and educational challenge. Big thanks to the problem author!</code></pre></div>","fields":{"slug":"/ctf-tsg-live6-en","tagSlugs":["/tag/ctf-en/","/tag/web-en/","/tag/english/"]},"frontmatter":{"date":"2021-10-04","description":"The web challenge Truth about Pi from TSG LIVE! 6 CTF taught me a lot, so I wrote up both the solution and the notes I took while learning from it.","tags":["CTF (en)","Web (en)","English"],"title":"Truth about Pi Writeup and Notes [TSG LIVE! 6 CTF]","socialImage":{"publicURL":"/static/334bd91f01f5d703919e643c6130dca6/ctf-elf-training.png"}}}},"pageContext":{"slug":"/ctf-tsg-live6-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}