hahwul

Postviewer v3 writeup by @terjanq

As it always have been with my challenges for Google CTF, they are based on real bugs I found internally. This year is a bit different though. This time the bugs were crafted by no other than me myself. One bug didn't manage to reach the production and the other is still present in prod making it effectively a 0day!

Both of my challenges (Postviewer v3 & Game Arcade) for this year are related to a sandboxing I've been working since the first postviewer challenge. You can read a little bit about it in

hahwul

<%= area_chart Rails.cache.read("data1") %>
<%= area_chart Rails.cache.read("data2") %>
<%= area_chart Rails.cache.read("data3") %>

<script>
  let eChartTriggerList = document.querySelectorAll('[id^="rails_charts_"]')
  window.addEventListener('resize', function() {
    let eChartList = [...eChartTriggerList].map(eChartTriggerEl => echarts.init(eChartTriggerEl).resize())
  });
</script>

hahwul

function createHeadingLinks(){
  const headings = document.querySelectorAll('h2[id],h3[id]');
  const linkContent = '#';
  for (const heading of headings) { 
      const linkIcon = document.createElement('a');
      linkIcon.setAttribute('href', `#${heading.id}`);
      linkIcon.setAttribute('style', 'color: #aaa');
      linkIcon.innerHTML = linkContent;
      heading.appendChild(linkIcon);
  }

hahwul

git ls-files | xargs cat | wc -l

hahwul

# Get all workers
SolidQueue::Process.all

# Get Pause and Ready Job
SolidQueue::Pause.all.pluck(:queue_name)
SolidQueue::ReadyExecution.where("queue_name LIKE ?", "dc_development_%").distinct(:queue_name).pluck(:queue_name)

# Get Failed Job
SolidQueue::FailedExecution.all
SolidQueue::FailedExecution.count

hahwul

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>PayloadContent</key>
	<array>
		<dict>
			<key>PayloadDescription</key>
			<string>Enable proxy settings for ZAP</string>
			<key>PayloadDisplayName</key>

hahwul

# The operation couldn’t be completed. Unable to locate a Java Runtime that supports jarsigner.
# Please visit http://www.java.com for information on installing Java.

brew install openjdk@11
sudo ln -sfn $(brew --prefix)/opt/openjdk@11/libexec/openjdk.jdk /Library/Java/JavaVirtualMachines/openjdk-11.jdk

hahwul

# Dependency
# gem install rumouse
#
# Run command
# ruby click.rb <delay-second>
# e.g: ruby click.rb 60

require 'rumouse'

mouse = RuMouse.new

hahwul

require "selenium-webdriver"
require "logger"

def searchCode code, logger
  begin
    options = Selenium::WebDriver::Firefox::Options.new
    options.add_argument('--headless')
    driver = Selenium::WebDriver.for :firefox , capabilities: options
    driver.navigate.to "https://grep.app/search?q=#{code}&filter[lang][0]=YAML&filter[repo.pattern][0]=action"
    sleep(3)

hahwul

<div id="asciinema-player"></div>
<script>
  AsciinemaPlayer.create("https://asciinema.org/a/{{ with .Get "key" }}{{ . }}{{ end }}.cast", document.getElementById('asciinema-player'), {
    {{ if .Get "autoplay" }}autoplay: {{ .Get "autoplay" }},{{ end }}
    {{ if .Get "preload" }}preload: {{ .Get "preload" }},{{ end }}
    {{ if .Get "loop" }}loop: {{ .Get "loop" }},{{ end }}
    {{ if .Get "idleTimeLimit" }}idleTimeLimit: {{ .Get "idleTimeLimit" }},{{ end }}
    {{ if .Get "poster" }}poster: "{{ .Get "poster" }}",{{ end }}
    {{ if .Get "terminalFontSize" }}terminalFontSize: {{ .Get "terminalFontSize" }},{{ end }}
    {{ if .Get "terminalFontFamily" }}terminalFontFamily: "{{ .Get "terminalFontFamily" }}",{{ end }}