https://ctftime.org/task/10755

日本語は下

Writeup in English

Start from this screen. First, let's take a look at the source code, as there are no hints.

<div>
    <div class="flexmagic">
        <p id="magic">give flag</p>
    </div>
</div>
<div>
    <p class="hidden">you passed it chief</p>
</div>
<script>
    var msg = document.getElementById("magic");
    setInterval(function() {
        if (magic.innerText == "please give flag") {
            fetch("/flag?msg=" + encodeURIComponent(msg.innerText))
                .then(res => res.text())
                .then(txt => magic.innerText = txt.split``.map(v => String.fromCharCode(v.charCodeAt(0) ^ 0xf)).join``);
        }
    }, 1000);
</script>

At one-second intervals, we see if magic.innerText is please give flag, and if so, we're getting the flag. Is there a way to dynamically rewrite magic.interText? It can be rewritten using Google Chrome's developer tools.

After rewriting, the flag appears.

以下、日本語

この画面からスタート。 特にヒントもないので、まずはソースコードを見てみよう。

<div>
    <div class="flexmagic">
        <p id="magic">give flag</p>
    </div>
</div>
<div>
    <p class="hidden">you passed it chief</p>
</div>
<script>
    var msg = document.getElementById("magic");
    setInterval(function() {
        if (magic.innerText == "please give flag") {
            fetch("/flag?msg=" + encodeURIComponent(msg.innerText))
                .then(res => res.text())
                .then(txt => magic.innerText = txt.split``.map(v => String.fromCharCode(v.charCodeAt(0) ^ 0xf)).join``);
        }
    }, 1000);
</script>

1秒間隔でmagic.innerTextがplease give flagであるかを見て、そうならflagをもらってきている。
動的にmagic.interTextを書き換える方法はないだろうか。
Google Chromeのデベロッパーツールを使えば、書き換え可能だ。

書き換えたらフラグが出てくる。