Off-Brand Cookie Clicker

100

Instructions

I tried to make my own version of cookie clicker, without all of the extra fluff. Can you beat my highscore?

By Khael (@malfuncti0nal on discord)

Solution

I found the following javascript function in the source code:

if (count >= 10000000) {
    fetch('/click', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded'
        },
        body: 'count=' + count
    })
    .then(response => response.json())
    .then(data => {
        alert(data.flag);
    });
}

We can just manually send a request to that url to get the flag:

% curl -X POST http://betta.utctf.live:8138/click -d 'count=9999999999'
{"flag":"Wow, you beat me. Congrats! utflag{y0u_cl1ck_pr3tty_f4st}"}