When we accessed the website, we found this:
It appears to be a normal chess game.
Even though I don’t know much about how to play this game, I’m going to make some random moves
Once I make the first move, in Burp Suite WebSocket history, we can see two requests made by me (the client) and the fish (the server).
I’m going to keep making more random moves until the fish wins, to see the whole process.
After a few random moves, instead of sending eval [number], it sent ‘mate 3’ to the server.
When I make more random moves, I reach the point where I can’t move anymore, and my last message to the server is ‘mate 1’.
Now it’s time to make a move using Repeater to see what we can do with it.
Let’s send mate 1.
Nothing. What if we go below 0?
Interesting, we checkmated. We win?? But there’s no flag?
Nothing. Let’s change it to eval -9999 first, and then we can keep pushing forward.
By adding another 9 to eval -9999, we got the flag.
