description = "In Elf Connect, we help Angel Candysalt solve a word-matching puzzle. After earning the silver medal by finding groups of related words, we dig into the game’s code using DevTools. By analyzing the scoring logic, we bypass the normal gameplay and directly trigger the gold medal with a simple code execution in the browser console!"
The game seems simple enough, click four words that are connected and go through the rounds. Depending on your knowledge of Christmas terms, you may fly through this no problem. My knowledge about it is not so good, but I decided to play the game normally at first anyway. With some Googling I got through the challenge and got the silver medal.
There are, however, multiple ways to solve the game. And we'll need to exploit this to get the gold medal.
## Gold
For gold, we'll need to inspect the code behind the game.
We can open the DevTools, and under "Sources" we can find the iframe in which the game is running. Here we can see all the files that are being used.
This means two things. Firstly, if your knowledge is as bad as mine, you can just write some code to get the correct combinations. But, secondly, and more importantly, if the correct set is here, the checks are also likely done client-side (meaning in your browser, and not on the server).
If you're wondering how to get the correct combinations, you can do it like this:
```js
Object.keys(wordSets).map((round) =>
correctSets.map((correctSet) =>
correctSet.map((index) => wordSets[round][index])
)
);
```
This might look a little complicated, so let me explain it for you. We start by looping over `wordSets`, this contains all the words for a specific round. We then look at the correct sets, and map the four indices to the actual word in the list. If we execute this code, we get the following output:
This just get us the correct answer though, and we'll need more for gold.
Scanning further through the code, we find the `checkSelectedSet` function with some logic in it:
```js
function checkSelectedSet(scene) {
// ...
if (isCorrectSet) {
// ...
// Update score by 100 points
score += 100;
scoreText.setText("Score: " + score);
// Add high-score board
if (score > 50000) {
highScoreText.setText("High Score: " + score);
emitter.explode(20);
submitAction(2);
displaySuccessMessage(
"Great Job Hacker! Elf Connect Complete and Hacked!",
function () {}
);
}
// ...
}
// ...
}
```
In the code we can see that once a score of over 50000 has been achieved, it calls `submitAction(2)`. This looks suspicious. The only other place where the function is being called is on a normal win, in that case it passes `1` as the argument instead of `2`.
Let's execute this function on its own. To do this, we'll first need to attach our console to the iframe the game is running in. We can do so by clicking "top" in the top left corner of the DevTools, and selecting the iframe.
{{<figuresrc="/img/writeups/holiday-hack-challenge/2024/prologue/elf-connect/iframe-console.png"title="Attach console to iframe">}}
We can then enter the code in the console, and..., we got the gold medal!
{{<figuresrc="/img/writeups/holiday-hack-challenge/2024/prologue/elf-connect/submitaction.png"title="Running the code">}}