Home

🚩 Acorn Clicker – SquirrelCTF 2025

📅

Challenge

- CTF:
SquirrelCTF 2025
- Title:
Acorn Clicker
- Category:
Web
- Description: 
Click acorns. Buy squirrels. Profit.
- Connection:
http://52.188.82.43:8090

Solution

The challenge starts with a simple login portal:

Pasted image 20250405175435.png

We register and login, accessing the application market:

Pasted image 20250405175556

The format of the problem is well known: manage to shop the flag product without having the necessary balance. The application grants the ability to earn currency by clicking on the Acorn icon at the center of the page. We’ll intercept the request generated by the click using BurpSuite:

Pasted image 20250405180621

The click generates a POST Request containing the amount of Acorns to earn in the body:

{
    "amount": 5
}

The Response contains the same amount of Acorns:

{
    "earned": 5
}

We can see that the user balance is increased by such value:

Pasted image 20250405181531

A first step towards resolution is to try and earn the amount of Acorns required to buy the flag. Using Burp’s Repeater tab, we can reissue the request setting amount to 999999999999999999. This approach won’t work, since the application responds with a 400 Error and the message Invalid amount:

Pasted image 20250405181233

Before diving into the source code provided with the challenge, we can follow a CTF intuition and see what happens when the user reaches a negative balance. To validate such scenario, we repeat the last request in BurpSuite, setting the amount to -100:

Pasted image 20250405181800

The intuition was correct!

Now we have enough credit to buy the flag:

Pasted image 20250405181950

Exploit Explanation

As the flag suggests, the vulnerability lies within a bug in MongoDB, the database used by the application. A quick research for negative number deserialization mongodb shows the official page for the bug, explaining that:

The bson@6.4.0 library introduced a regression […] that can result in negative Int64 values being parsed as large positive values (greater than 9,223,372,036,854,775,807)

The page also described the conditions where the bug manifests:

All versions of the bson library between 6.4.0 – 6.10.2 contain the bug, and as a result, every Node.js driver release between 6.0.0 – 6.13.0 could be impacted. The following MUST be true for the bug to potentially affect an application:

  • A version of the affected bson library is used (either directly, or as a dependency of another library such as the Node.js driver)
  • The useBigInt64 option must be enabled (default is disabled)
  • A negative BSON Int64 value is deserialized via the bson library, which will deserialize it as a positive value greater than 9,223,372,036,854,775,807 (0x7fffffffffffffff)

Checking the source code, we can indeed see that the option required is enabled in the index.js file:

const client = new MongoClient(url, {
  useBigInt64: true,
});

also, the bson library version listed in the package.json file is among the vulnerable ones:

"bson": "6.10.2"

Finally, the logic flaw of earning a negative amount of Acorns can set the balance to a negative value, triggering the bug and granting a large positive amount of Acorns.

Posted

by

Kallari

Tags:

, ,