description = "In Elf Connect, we help Angel Candysalt solve a word-matching puzzle. After earning the silver medal by finding groups of related words, we dig into the game’s code using DevTools. By analyzing the scoring logic, we bypass the normal gameplay and directly trigger the gold medal with a simple code execution in the browser console!"
I love brain games! This one is like the New York Times Connections game. Your goal here is to find groups of items that share something in common. Think of each group as having a hidden connection or theme—four items belong together, and there are multiple groups to find! See if you can spot patterns or common threads to make connections. Group all the items correctly to win!
WOW! A high score of 50,000 points! That’s way beyond the limit! With only four rounds and a max of 400 points per round, the top possible score should be 1,600 points. So, how did someone get to 50,000? Something unusual must be happening!
If you're curious, you might want to check under the hood. Try opening the browser's developer tools console and looking around—there might even be a variable named 'score' that could give you some insights. Sometimes, games hold secrets for those who dig a little deeper. Give it a shot and see what you can discover!
The game seems simple enough, click four words that are connected and go through the rounds. Depending on your knowledge of Christmas terms, you may fly through this no problem. My knowledge about it is not so good, but I decided to play the game normally at first anyway. With some Googling I got through the challenge and got the silver medal.
There are, however, multiple ways to solve the game. And we'll need to exploit this to get the gold medal.
This means two things. Firstly, if your knowledge is as bad as mine, you can just write some code to get the correct combinations. But, secondly, and more importantly, if the correct set is here, the checks are also likely done client-side (meaning in your browser, and not on the server).
If you're wondering how to get the correct combinations, you can do it like this:
```js
Object.keys(wordSets).map((round) =>
correctSets.map((correctSet) =>
correctSet.map((index) => wordSets[round][index])
)
);
```
This might look a little complicated, so let me explain it for you. We start by looping over `wordSets`, this contains all the words for a specific round. We then look at the correct sets, and map the four indices to the actual word in the list. If we execute this code, we get the following output:
Scanning further through the code, we find the `checkSelectedSet` function with some logic in it:
```js
function checkSelectedSet(scene) {
// ...
if (isCorrectSet) {
// ...
// Update score by 100 points
score += 100;
scoreText.setText("Score: " + score);
// Add high-score board
if (score > 50000) {
highScoreText.setText("High Score: " + score);
emitter.explode(20);
submitAction(2);
displaySuccessMessage(
"Great Job Hacker! Elf Connect Complete and Hacked!",
function () {}
);
}
// ...
}
// ...
}
```
In the code we can see that once a score of over 50000 has been achieved, it calls `submitAction(2)`. This looks suspicious. The only other place where the function is being called is on a normal win, in that case it passes `1` as the argument instead of `2`.
Let's execute this function on its own. To do this, we'll first need to attach our console to the iframe the game is running in. We can do so by clicking "top" in the top left corner of the DevTools, and selecting the iframe.
{{<figuresrc="/img/writeups/holiday-hack-challenge/2024/prologue/elf-connect/iframe-console.png"title="Attach console to iframe">}}
We can then enter the code in the console, and..., we got the gold medal!
{{<figuresrc="/img/writeups/holiday-hack-challenge/2024/prologue/elf-connect/submitaction.png"title="Running the code">}}
