# TSG ctf 2023

## Web

### Upside-down-cake

<figure><img src="https://1258745909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPRj67lRKmIcGcfIbPm4a%2Fuploads%2F9jPtk9XJmWuZvKgcRHbY%2Fimage.png?alt=media&#x26;token=d31dddfa-fdb9-40f0-96b9-f5ab938b8c10" alt=""><figcaption></figcaption></figure>

so when we look at the code we can see that the flag is available when the palindrome function returns the correct output i.e when it recognizes the palindrome , which it does:&#x20;

1\. if the length is greater than 1000&#x20;

2\. and the palindrome it's checking by iterating every character and checking reverse is true also

When we send the two different sizes for the input:

<figure><img src="https://1258745909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPRj67lRKmIcGcfIbPm4a%2Fuploads%2Fu4Sj1aTOmwJJnMPBe2ip%2Fimage.png?alt=media&#x26;token=3563795e-61a0-4bb3-bd1a-d4a04c446847" alt=""><figcaption></figcaption></figure>

look at the function that recvs the json data:

<figure><img src="https://1258745909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPRj67lRKmIcGcfIbPm4a%2Fuploads%2FQedL0dKyOWLMKmiGO9qk%2Fimage.png?alt=media&#x26;token=6b488630-8747-49fb-a5f9-a13894eaa267" alt=""><figcaption></figcaption></figure>

so after digging a bit I found out that if the server is getting the data in json format , why not make a json object that has certain properties that can be used to validate the parameters required by the function to validate and give us the flag so we craft a payload for this:

```json
{"palindrome": {"length": "1000", "0": "", "999": ""}}
```

#### Analysis:

This JSON data represents an object with a property named "palindrome," which is itself an object. The "palindrome" object has three properties: "length," "0," and "999." Now, let's analyze the conditions in the `validatePalindrome` function:

1. **Length Check:**
   * If the length is less than 1000, it returns 'too short'.
   * In this case, the length is 1000, so this condition is satisfied.
2. **Palindrome Check:**
   * It iterates through the characters and compares each character at position `i` with the character at position `length - i - 1`.
   * It also checks if the type of the character is a string.
   * In this specific palindrome, the characters at positions 0 and 999 are empty strings, so the comparison passes.

result:

<figure><img src="https://1258745909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPRj67lRKmIcGcfIbPm4a%2Fuploads%2FVSijZsPIY0gK1qsu0suB%2Fimage.png?alt=media&#x26;token=0ecf2eec-d39d-4736-9522-34111c673dd7" alt=""><figcaption></figcaption></figure>

we can define the json object properties like this and function will interpret it:

[refer](https://json-schema.org/understanding-json-schema/reference/object)

<figure><img src="https://1258745909-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FPRj67lRKmIcGcfIbPm4a%2Fuploads%2Fw9rPraXccxi0SMrrP6qc%2Fimage.png?alt=media&#x26;token=f5f93fe7-455f-48cd-9d5d-5f331fd0fd2f" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://anekant-singhais-organization.gitbook.io/why-so-script-kiddie/ctfs/tsg-ctf-2023.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.