# DEFCON Quals 2021 - threefactooorx

An attachment was given as an Chrome extension. Unzip the extension and import it to Chrome, I got this.

In the folder I discovered a javascript file named content_script.js. After beautifully printed it using Chrome, I got the code easier to read slightly and could find keyword FLAG in it. Besides, many constant seems to be converted to function(num, num, num) just like document[_0x39523f(-0x19a, -0x187, -0x194, -0x17d)]. After pasting the functions definition it needed to console, we can finally know _0x39523f(-0x19a, -0x187, -0x194, -0x17d) refers to the string “body”. By this way, we can convert and extract the critical code. After reading the code carefully, wo got the code as follow.

From the code I know that all we need is to fulfill the conditions nodesadded === 5 && nodesdeleted === 3 && attrcharsadded === 23 && domvalue === 2188. I can figure out that nodesadded increases when creating an div element, nodesdeleted increases when removing an div element. domvalue is the chars total in div with id 3fa. attrcharsadded is the total length of attribute name in the context. However, domvalue is not only the length of document["getElementById"]('3fa').innerHTML.length. After debugging in the browser, I found document["getElementById"]('3fa').innerHTML.length should be 2131, which actually declined 8 chars in total I expected it should be before.

After fulfilled all the conditions above, the script will try to set the value of a element whose id is thirdfactooor as flag. So I just create a textarea for the flag. Besides, use an input can also reach the answer, but domvalue should be recalculate to fit 2188. Also, a element which is not div to be create in the 3fa context is also allowed only if the domvalue is correct.

Therefore, we can create a HTML page like this.

Also, a payload like this is also allowed.