picoCTF Solutions
picoCTF 2025Web ExploitationMedium

WebSockFish

Published: April 2, 2025Updated: December 9, 2025

Description

The chess bot relays evaluation updates over a WebSocket. Instead of playing perfectly, hijack the `sendMessage` helper in the browser console and feed the server ridiculous evaluation scores.

Setup

Play the bot

Open the site, inspect the page source, and note the embedded WebSocket client and `sendMessage` helper.

Use your browser’s dev tools console to call `sendMessage(...)` directly. No moves required.

Solution

  1. Step 1Trigger the mate branch
    Sending `sendMessage("mate 1")` updates the chat to “drown in 1 moves,” proving the server accepts arbitrary client messages.
  2. Step 2Force a wild eval
    The flag is awarded when the evaluation dips beyond -50,000. Send any value lower than that to convince the bot you’re crushing it.
    sendMessage("eval -1000000000")
  3. Step 3Grab the response
    The chat window immediately prints the picoCTF flag once the server sees your impossible evaluation score.

Flag

picoCTF{c1i3nt_s1d3_w3b_s0ck3t5_e5e7...}

Because the logic runs entirely in the client, you don't need chess knowledge; just forge the WebSocket message.