Flash CTF – Snowfall Wishes

December 20, 2025
Challenge Writeups
1 min read

Challenge Overview

This is a beginner-level web exploitation challenge that teaches players about the dangers of client-side security checks. The challenge presents a beautiful winter-themed wishing website with a “VIP Portal” that requires a secret passphrase.

Vulnerability

The VIP access check is performed entirely in client-side JavaScript. While the flag is base64 encoded, both the passphrase and the encoded flag are visible in the source code. This is a classic example of “security through obscurity” – which isn’t real security at all.

Solution

Method 1: Find the Password in Source Code

  1. Visit the Snowfall Wishes website
  2. Right-click anywhere on the page and select “View Page Source” (or press Ctrl+U / Cmd+U)
  3. Scroll down to the JavaScript section and look for the VIP Access System:
// ============================================
// VIP Access System
// TODO: Move this check to the backend before launch!
// For now the code is: frosty_flakes_2024
// ============================================

const _0xg1ft = "TWV0YUNURntjMGxkX2g0bmRzX3c0cm1faDM0cnRzX3N0MHBfcHU3NzFuZ19zM25zaTdpdmVfMW5mMF8xbl83aDNfY2xpM250X2gzNHJ0aH0=";

function checkVIPAccess() {
    // ...
    const secretCode = "frosty_flakes_2024";
    // ...
}
  1. Enter the passphrase frosty_flakes_2024 in the VIP code input
  2. The flag will be decoded and displayed

Method 2: Decode the Base64 String Directly

If you notice the encoded string _0xg1ft, you can decode it yourself:

Using Browser Console (F12 → Console):

atob("TWV0YUNURntjMGxkX2g0bmRzX3c0cm1faDM0cnRzX3N0MHBfcHU3NzFuZ19zM25zaTdpdmVfMW5mMF8xbl83aDNfY2xpM250X2gzNHJ0aH0=")

Using command line:

echo "TWV0YUNURntjMGxkX2g0bmRzX3c0cm1faDM0cnRzX3N0MHBfcHU3NzFuZ19zM25zaTdpdmVfMW5mMF8xbl83aDNfY2xpM250X2gzNHJ0aH0=" | base64 -d

Using CyberChef or an online base64 decoder

https://gchq.github.io/CyberChef/#recipe=From_Base64('A-Za-z0-9%2B/%3D',true,false)&input=VFdWMFlVTlVSbnRqTUd4a1gyZzBibVJ6WDNjMGNtMWZhRE0wY25SelgzTjBNSEJmY0hVM056RnVaMTl6TTI1emFUZHBkbVZmTVc1bU1GOHhibDgzYUROZlkyeHBNMjUwWDJnek5ISjBhSDA9&ieol=NEL&oeol=NEL

Flag

MetaCTF{c0ld_h4nds_w4rm_h34rts_st0p_pu771ng_s3nsi7ive_1nf0_1n_7h3_cli3nt_h34rth}

You may also like

Sign In

Get Started