July 4, 2026
Fools Mate Tryhackme Writeups
This was quite a simple and straightforward room, honestly one of the calmer ones I’ve done lately.

By L4ZZ3RJ0D
2 min read
It's mate in one. You know it, the engine knows it, my grandma knows it. The board says checkmate is one click away. The engine says no. Time to settle the argument.
While looking at the board we obviously know our move should be from a1 to a8. That's it, that's the whole game. Except the machine has other plans and just flat out refuses to let us make that move.
So the goal here is simple, trick whatever's stopping us and get that a1 to a8 move through anyway. I fired up Caido to actually look at what was happening under the hood when I tried it.
Turns out the a1a8 move never even makes it to the server. The JS rules stop it dead before the request goes anywhere. So I went and actually read the JavaScript, and the restriction was obvious the second I saw it.
Before sending any move to the backend, the frontend quietly creates a temporary chess board, plays your move locally, and checks whether that move results in checkmate.
If it's checkmate, the request just never gets sent.
const probe = new Chess(game.fen());
result = probe.move({ from, to, promotion });
if (result && probe.isCheckmate()) {
showSystemNotice("I'll shut down your PC if you play that.");
return false;
}const probe = new Chess(game.fen());
result = probe.move({ from, to, promotion });
if (result && probe.isCheckmate()) {
showSystemNotice("I'll shut down your PC if you play that.");
return false;
}Cute threat, but it gave the game away. This restriction lives entirely in the browser. The backend has no idea any of this checkmate-detection theater is happening, it's still sitting there waiting to validate whatever move you actually send it and hand back the flag if it's happy.
So I just sent a normal request, the kind the game already trusts, and changed the value from a1a7 to a1a8 before it went out.
And that was it. Server didn't care about any local checkmate detection, it just validated the move and handed over the flag.
Classic case of the frontend doing all the talking and none of the enforcing. If your security check only exists in the browser, it isn't a security check, it's a suggestion.
Happy hacking, see you in the next room, hopefully one where the backend actually does its job.