The server expects two values (one
and two
) passed in as a JSON array.
It appends a secret to the start of both of these and runs them through a custom hashing function.
If the result is equal, we get the flag. However, our input is compared with the ===
operator, and if they match our input is rejected.
As this is a web challenge, not a crypto one, I realized the target was not the hashing function.
After some playing around, I found that ['a'] === ['a']
returns false, likely because the arrays are two different objects in memory.
We send to the server:
and the flag is returned.