Introduction

The BeatIt was a very easy web challenge from the Midnight CTF 2025.

The goal of that challenge was to find the flag in a backbloxed web application. In other words, we didn’t had access to the source code of the web application.

Game rules

The web application was in fact a game which each player had to remove between 1 and 3 stick. The player that’ll remove the last stick will loose. The bot always start.

Here, we could probably try to win this Nim game variant or exploit the API because it’s easier.

Exploitation

During a party, we can just open the web inspector, and see all the requests that are sent to the server.

When we play our turn, we’ll see that a POST /play request is sent to the server with the following body:

{
  "player_choice": 2
}

When we try to remove exactly 16 sticks to make the count goes to 1, the server respond with the flag:

MCTF{FAKE_FLAG_FOR_TESTING}