Photo by Markus Spiske / Unsplash

WaniCTF 2024 - Bad_Worker - Write-up

CTF Jun 26, 2024

Welcome back

This is the write-up for Bad_Worker, a beginner Web challenge in WaniCTF 2024. In this challenge, we exploit the web worker to bypass URL validation to get the flag.

So let's get started.


The Challenge

This is a simple web page with three pages:

  1. Home
  2. Counter
  3. Fetch Data

And to make things simple, there is a Fetch FLAG.txt button. But if I click it, I get this.

This means the button is a diversion, or something stops me from getting the flag.


The Diligent Worker

After going through the HTML and JS code, I stumbled upon this.

The validation at line 41 stops me from getting the flag; whenever I call any URL containing FLAG.txt, the code at line 41 changes that to DUMMY.txt.


The Solution

The solution is simple: I need to make the API call and manually get the flag.


Final Thoughts

This is a simple challenge. We must understand the application flow, as everything we need is right before us.

Tags