When we accessed the website, we found this:
It appears to be a normal chess game.
Even though I donβt know much about how to play this game, Iβm going to make some random moves
Once I make the first move, in Burp Suite WebSocket history, we can see two requests made by me (the client) and the fish (the server).
Iβm going to keep making more random moves until the fish wins, to see the whole process.
After a few random moves, instead of sending eval [number], it sent βmate 3β to the server.
When I make more random moves, I reach the point where I canβt move anymore, and my last message to the server is βmate 1β.
Now itβs time to make a move using Repeater to see what we can do with it.
Letβs send mate 1.
Nothing. What if we go below 0?
Interesting, we checkmated. We win?? But thereβs no flag?
Nothing. Letβs change it to eval -9999 first, and then we can keep pushing forward.
By adding another 9 to eval -9999, we got the flag.
