Anantya ByteMe CTF Writeup: Blind Trust

Welcome Back to the Official Write-Up Series of ByteMe CTF!

The OWASP PCCOE Student Chapter is diving into the world of client-side vulnerabilities with our third challenge—Blind Trust. While our previous challenges focused on AI logic and token forgery, this one highlights a fundamental rule of web security: Never trust the client.

Category: Web Exploitation

Difficulty: Medium

Author: Suyog Jadhav

Theme: Client-Side Trust

Challenge Overview

The premise was simple: solve 20 rapid-fire math problems in the browser to reveal the flag.

• The Hook: The interface claimed that answers were validated, a speed requirement existed, and legitimacy checks were in place.

• The Reality: The backend performed zero validation. It blindly trusted the calculations performed by the browser's JavaScript.

Key insight: If you control the browser, you control the game.

Core Vulnerability: Lack of Server-Side Validation

The backend failed to verify:

• ❌ Correctness of math answers.

• ❌ Physical button interactions.

• ❌ Human-like timing or speed.

By shifting all logic to the client, the challenge became a race of automation rather than a test of math skills.

Reconnaissance

Opening the DevTools Console ($F12$) during play revealed the inner workings of the challenge. By inspecting the DOM, we identified three critical elements:

Element	Purpose
#question	Displays the current math expression.
#answerInput	The field where the answer is entered.
#submitBtn	The trigger to send the data to the "trusting" backend.

Since everything important was exposed in the DOM, we could manipulate the entire flow using a simple script.

Attack Strategy: Automation

While you could solve 20 questions by hand, it is slow and prone to human error. The professional approach is to write a DOM-scraping auto-solver.

The Plan:

1. Read the question string from #question.

2. Sanitize and evaluate the mathematical expression.

3. Inject the result into #answerInput.

4. Programmatically click #submitBtn.

5. Repeat until the flag is revealed.

The Exploit Script

By pasting the following script into the browser Console, the challenge solves itself in seconds:

JavaScript

(async function autoSolve() {
    console.log('🚀 Auto-solver started...');

    const solve = async () => {
        await new Promise(r => setTimeout(r, 1000)); // UI Grace period
        
        const qEl = document.getElementById('question');
        if (!qEl || qEl.textContent === "Loading...") return setTimeout(solve, 500);
        if (qEl.offsetParent === null) {
            console.log('🎉 FLAG REVEALED!');
            return;
        }
        
        // Sanitize symbols for JS eval()
        let expr = qEl.textContent
            .replace(/×/g, '*')
            .replace(/÷/g, '/')
            .replace(/²/g, '**2')
            .replace(/³/g, '**3');
        
        let answer;
        if (expr.includes('=')) { // Handle linear equations
            const [left, right] = expr.split('=');
            const res = eval(right.trim());
            const m = left.match(/(\d+)x\s*\+\s*(\d+)/);
            if (m) {
                const coeff = parseInt(m[1]);
                const constant = parseInt(m[2]);
                answer = (res - constant) / coeff;
            }
        } else {
            answer = eval(expr);
        }
        
        document.getElementById('answerInput').value = answer;
        document.getElementById('submitBtn').click();
        setTimeout(solve, 2000); // Loop to next
    };
    solve();
})();

Results

Within moments of running the script, the math problems are bypassed, and the system hands over the prize.

Flag: ByteMe{Bl1nd_7ru57_15_4w350m3}

 

Final Words

"Blind Trust" serves as a reminder that Client-Side Security is an Oxymoron. Anything that happens on the user's machine can be modified, bypassed, or automated. Always validate critical logic on the server!