Picocctf 2025 WebSockFish Complete -Writeup

0xodinx

PicoCtf_2k_25 WebSockFish.....

picoctf 2025 websockfish writeup - Dp1h3r0x

 

Description: -


❇️Can you win in a convincing manner against this chess bot? He won't go easy on you!



Hint :-


✅Try understanding the code and how the websocket client is interacting with the server


Solutions :-


Step 1 :-


 First, I checked the various technologies used in the website and also analyzed how the game works. Basically, the game includes a bot and a regular user. Now, my task is to find the vulnerability and extract the flag.



analyzed how the game works



Step 2 :-


Since the hint mentioned WebSocket, we need to understand how WebSocket functionality works—specifically, how it's working in this game from client to server. So, I intercepted the requests ( after doing a move.) using Burp Suite and analyzed the responses.


intercepted the request using Burp Suite and analyzed



In the image above, we can see a command named eval. When I change its value, a message appears saying ( to client ) 'I think this position is Pretty equal'.


Step 3 :-


Now, if I set the value to a negative number, I still see the same message. But when I randomly send a large negative value to the server, I notice the message changes and that's where I find the flag.



set the value to a negative number





notice the message changes and that's where I find the flag





.....And ......, yes I got the flag.




finally got the flag





                     Thanks You For Reading This Writeup                              






0 Comments