Cheese Chess

Challenge Overview

We were provided with a web challenge featuring a chess game implemented using React and the react-chessboard library. The objective was to retrieve the flag displayed by the application under certain conditions.

Initial Analysis

Upon visiting the website, the React framework was quickly identified by inspecting the favicon and the page title.
Installed the React Developer Tools browser extension to analyze the component tree and inspect internal state.
Explored the source code and component states to understand the application's logic.

Vulnerability Discovery

Discovered a boolean state variable, gameOver, which controlled whether the flag would be displayed.

The relevant code snippet:

const [gameOver, setGameOver] = useState(false);

The flag was only shown if gameOver was set to true.

Exploitation Steps

Opened the website in a browser with React Developer Tools enabled.
Navigated to the React component responsible for the chess game.
Located the gameOver state variable in the component's state.
Manually changed the value of gameOver from false to true using the Dev Tools interface.

Flag Retrieval

After toggling the gameOver state to true, the application immediately revealed the flag in the UI.
(Flag intentionally hidden as requested.)
Challenge solved by manipulating client-side state via React Dev Tools.

Challenge Overview​

Initial Analysis​

Vulnerability Discovery​

Exploitation Steps​

Flag Retrieval​

Challenge Overview

Initial Analysis

Vulnerability Discovery

Exploitation Steps

Flag Retrieval