Prompt
Players of the Metropolis online lottery are able to get a win percentage of more than 80% resulting in more people winning than should be statistically possible. Conduct a security audit to determine the cause.
Scope: This challenge is limited to HTTPS in scope, please do not attack any other ports on this server and do not brute force attack this web server.
Walk-Through
This challenge involves exploiting trusted client input. The objective of the challenge is to “win the lottery” which is not possible with the balance of money allotted to each user. Using all the allotted money will only yield a 3.85% chance of winning. The conditions for winning the lottery are to have a win percentage greater than 80%.
All web-based challenges should be opened in a separate window to easily view the developer tools and to reduce confusion between resources on the Cyber Skyline website and the actual challenge website.
Guide
Use the developer tools to see the specific HTTP request which processes a purchase and to see the values for the number of tickets purchased and the cost of the purchase. To do this, navigate to the “Network” tab before making a purchase. Then, make a purchase.
A request to the “purchase” page should appear. Click on the request to view additional details.
Lets look at the sources for this page, specifically main.js. Starting at line 5, there is code about purchasing the tickets and how that information in the form is sent to the server. See below for the particular snippet:
The form uses AJAX to send the data to the web server. Understanding more about AJAX can help in understanding how the request is processed.
The vulnerability with this website is that the server will blindly trust the values supplied by the user when a request to purchase tickets is being made. It is possible for an attacker to adjust these values so that they can purchase more tickets than would normally be possible with the funds that they have. A quick way to exploit the vulnerability is to copy the code that the purchase form uses and to make some modifications.
Copy the code where the AJAX request is made and paste it into the “Console” in developer tools. Then, adjust the values in the “cost” and “tickets” fields.
Be sure to remove the “complete” field as it indicates the function that should be called after the server responds. This is not necessary for this exploit.
By adjusting the data to indicate a small cost and a large number of tickets, it is possible to rig the odds of winning the lottery, triggering the flag to appear.
/purchase without the UID.After waiting a few seconds for the end of the round, the flag should appear.
Useful resources for this challenge:
- AJAX- https://en.wikipedia.org/wiki/Ajax_(programming)
- Use the Tutorial Video below
Tutorial Video
Watch our full Tutorial Video to learn more about exploiting untrusted web data and see a walkthrough of how to solve this challenge:
Cyber Skyline Live - Exploiting Untrusted Web Data - Feb 17, 2022
In Cyber Skyline Live - Exploiting Untrusted Web Data, you'll learn from Franz Payer, CEO of Cyber Skyline, about how to conduct a code review on a web application, exploit a number-rounding vulnerability by hand, and identify possible ways to secure the code. Reach out with questions at contact@cyberskyline.com. Cyber Skyline is the organizer of the National Cyber League, a bi-annual, all-virtual cybersecurity student competition, advancing hands-on skills and knowledge. Check the website at nationalcyberleague.org for details on NCL.
www.youtube.com
Questions
1. What is the flag obtained after winning the lottery?
Open the Metro Lottery webpage in a separate tab, then open the developer tools in your browser and execute this command: $.ajax({method : 'POST', url : '/purchase' + window.location.search, data : JSON.stringify({ cost : 5, tickets : 1000000, }), dataType : 'json', contentType : 'application/json' });
©️ 2026 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.