Category: Web
Tools Used:
Burp Suite, Web browser
Skills
Tested: HTTP interception, request tampering, logic bypass, game
manipulation
Difficulty:
Medium
Challenge
Overview
.jpg)
In this web-based challenge, we faced a simple chess interface. The page allowed us to play against an AI opponent. The goal was clear: beat the AI and receive the flag.
Simple enough, right?
I thought I could make a few moves, defeat the bot, and grab the flag.
I was wrong.
After
trying multiple times to outsmart the AI—using aggressive tactics, careful
play, and even letting Stockfish suggest moves—the AI refused to lose. There
was no winning condition triggered, even when I checkmated the bot
decisively.
That’s when
I realized this challenge was not about chess skill. It was about intercepting
the game logic itself.
Step 1:
Observing Game Behavior
As I played, I observed that every move triggered a request to the server. The board updated dynamically, which made me suspect some sort of backend evaluation occurred after each move.
I opened Burp Suite, set up the browser through the proxy, and started monitoring the network activity.
Before
long, I found an interesting HTTP request:
.jpg)
```bash
POST
/evaluate
Content-Type:
application/json
Request
body:
```
```json
{
"fen":
"r1bqkbnr/pppp1ppp/2n5/4p3/4P3/5N2/PPPP1PPP/RNBQKB1R w KQkq - 2 3",
"move": "Nf3"
}
```
The server
responded with something like:
```json
{
"eval": -0.34,
"comment": "Slightly worse for
black."
}
```
Interesting.
The eval field clearly showed how the AI viewed the position—negative numbers
favored black, while positive numbers favored white.
Step 2: The
Key Discovery
After I
"won" the game with a clear checkmate, I intercepted the final move's
request again.
The response I received was:
```json
{
"eval": -20.0,
"comment": "Black is
completely lost."
}
```
Still, no
flag appeared.
That’s when
it struck me.
What if the
flag logic doesn’t depend on checkmate at all, but rather on the evaluation
score returned by the server?
Step 3:
Manual Tampering with Burp Suite
I replayed
the final move request using Burp’s Repeater, but this time, I manually changed
the server's response in Burp's Intercept tab before the browser could display
it.
Here’s what
I did:
I
intercepted the response.
I changed
the eval value from:
```json
"eval":
-20.0
```
to:
```json
"eval":
-2200000
```
This change created an unrealistic, absurd score just to force the game into granting the win condition.
Then, I forwarded the response.
Step 4:
Winning the Game (And the Flag)
Immediately
after forwarding the modified response, the browser displayed:
.png)
Boom.
The flag
appeared based entirely on the eval score—not on the actual game state or
checkmate. The AI didn’t care about legality or winning moves; it simply trusted
the eval value.
Key
Takeaways
Never trust the client. In this case, the server let the frontend decide victory based on a tamperable field. That’s a major security flaw.
Always inspect requests and responses. Tools like Burp Suite are essential for understanding and manipulating application logic—especially in CTFs where creativity is encouraged.
Know when
logic doesn’t equal logic. Even when it looks like a “beat the game” challenge,
sometimes the logic is separate from actual gameplay.
Final
Thoughts
This was a clever and tricky challenge. It appeared to be a game of chess, but it was really a lesson in insecure logic validation and misusing client trust.
The idea of allowing players to win based on an eval field—something the client could see and modify—was the main vulnerability. It didn’t matter if I was Magnus Carlsen or a complete beginner. With Burp Suite, I was able to beat the AI by lying convincingly enough.
If you ever face a game-based CTF challenge like this, don’t just focus on winning the game; examine how the win is determined.
.jpg)
.jpg)
No comments:
Post a Comment