Zerodays 2017 - Pacman 400 Writeup

Pacman
400
Pacman needs your help to find the next flag.
http://worldsbiggestpacman.com/play/#161,-182
flag format:
url shortcode

Let’s have a looksie at the game:

The game is hosted on a third party website so it’s unlikely that there’s any vulnerabilities we can exploit.

Hang on a sec, the map looks like a QR code! But it’s unlikely I’ll be able to find an app that will let me scan it ;). Let’s see if we can get access to the raw data that’s generating the map.

Open up Chrome Developer Tools Ctrl+shift+iand click the ‘Network’ tab and filter by ‘XHR’ requests only. (This will give you only the requests generated during runtime by the website’s Javascript code).

ajax_request_level.php looks interesting. Click to open a preview of what was received:

Judging by the screen layout, # means a wall element, o means a gap element, e means an empty space and - means a dot. Double click on ajax_request_level.php to open it in a new tab, and press Ctrl-S to save as level.json .

Alright, we have the map data in a structured format, let’s try print a QR code.

I wrote a quick python script to parse level.json and output the QR code into a HTML document using the Unicode black and white squares, inspired by this ASCII QR code website:

Open qr.html in you browser and voila:

But… it doesn’t scan. Then you realise that the corners should be solid black squares. You have to manually edit the source code of qr.html to figure out which ones to change to black squares. You then end up with this, which does scan:

It scans to http://q-r.to/bajM0B which is the flag you have to input.


Thanks to everyone involved involved in making Zerodays a really fun, Irish CTF and supplying great challenges like this one! Join the Facebook group if you want to hear more.

One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.