Flash CTF - Snowfall Wishes

Challenge Overview

This is a beginner-level web exploitation challenge that teaches players about the dangers of client-side security checks. The challenge presents a beautiful winter-themed wishing website with a "VIP Portal" that requires a secret passphrase.

Vulnerability

The VIP access check is performed entirely in client-side JavaScript. While the flag is base64 encoded, both the passphrase and the encoded flag are visible in the source code. This is a classic example of "security through obscurity" - which isn't real security at all.

Solution

Method 1: Find the Password in Source Code

  1. Visit the Snowfall Wishes website
  2. Right-click anywhere on the page and select "View Page Source" (or press Ctrl+U / Cmd+U)
  3. Scroll down to the JavaScript section and look for the VIP Access System:

// ============================================
// VIP Access System
// TODO: Move this check to the backend before launch!
// For now the code is: frosty_flakes_2024
// ============================================

const _0xg1ft = "TWV0YUNURntjMGxkX2g0bmRzX3c0cm1faDM0cnRzX3N0MHBfcHU3NzFuZ19zM25zaTdpdmVfMW5mMF8xbl83aDNfY2xpM250X2gzNHJ0aH0=";

function checkVIPAccess() {
    // ...
    const secretCode = "frosty_flakes_2024";
    // ...
}

  1. Enter the passphrase frosty_flakes_2024 in the VIP code input
  2. The flag will be decoded and displayed

Method 2: Decode the Base64 String Directly

If you notice the encoded string _0xg1ft, you can decode it yourself:

Using Browser Console (F12 → Console):

atob("TWV0YUNURntjMGxkX2g0bmRzX3c0cm1faDM0cnRzX3N0MHBfcHU3NzFuZ19zM25zaTdpdmVfMW5mMF8xbl83aDNfY2xpM250X2gzNHJ0aH0=")

Using command line:

echo "TWV0YUNURntjMGxkX2g0bmRzX3c0cm1faDM0cnRzX3N0MHBfcHU3NzFuZ19zM25zaTdpdmVfMW5mMF8xbl83aDNfY2xpM250X2gzNHJ0aH0=" | base64 -d

Using CyberChef or an online base64 decoder

https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=VFdWMFlVTlVSbnRqTUd4a1gyZzBibVJ6WDNjMGNtMWZhRE0wY25SelgzTjBNSEJmY0hVM056RnVaMTl6TTI1emFUZHBkbVZmTVc1bU1GOHhibDgzYUROZlkyeHBNMjUwWDJnek5ISjBhSDA9&ieol=NEL&oeol=NEL

Flag

MetaCTF{c0ld_h4nds_w4rm_h34rts_st0p_pu771ng_s3nsi7ive_1nf0_1n_7h3_cli3nt_h34rth}

Interested in joining our team? Let’s connect!

Let's go

Upskill and assess cybersecurity talent through hands-on, bite-sized scenarios that mirror real work

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
About UsSkillBit LabsFor IndividualsCyber CompetitionsTerms of UsePrivacy Policy
Read Our Blog Case StudiesNews + EventsConnect With UsRequest a Demo