web

SNAD Writeup

Nahamcon 2025

Solved by Legend

In this challenge the website is having interaction if we click the website sand particles will fall off. I check the source code and found the code for this where specific points were mentioned which we needed to trigger.

Tried a bunch of things and also tried to access the flag using checkFlag() but it didn’t work so again made a script which will inject the points where the code is looking for.

const targets = [
  { x: 367, y: 238, hue: 0 },
  { x: 412, y: 293, hue: 40 },
  { x: 291, y: 314, hue: 60 },
  { x: 392, y: 362, hue: 120 },
  { x: 454, y: 319, hue: 240 },
  { x: 349, y: 252, hue: 280 },
  { x: 433, y: 301, hue: 320 }
];

for (let i = 0; i < targets.length; i++) {
  injectSand(targets[i].x, targets[i].y, targets[i].hue);
}

Once the points are matched to where the code is expecting the checks are passed and flag is given.

Key Learning and Takeaways

  • Always check the source code it often includes useful logic or hardcoded values.
  • Interactive web challenges may hide important behavior in JavaScript; inspect scripts, not just HTML.
  • Reverse-engineering how the frontend works can help you figure out how to trigger backend logic.
Published on : 31 May 2025