search

tiwanari / realworldctf2019

0 stars 0 forks source link

accessible #11

Open tiwanari opened 5 years ago

tiwanari commented 5 years ago 
I think I messed this up...

http://13.52.191.222:13337/

accessible.txz

https://realworld-ctf-2019-quals.s3-us-west-1.amazonaws.com/40fb2d5b5370042b47232a18299ac646/accessible.txz

tiwanari commented 5 years ago

$ cat README.md

## README

The patch should apply to chromium commit `0c52497b2d30fadfc5b04addb8315e9f49a15baa` (v8 commit `eefa087eca9c54bdb923b8f5e5e14265f6970b22`).

Submit your URL to the challenge submission panel, and I will be doing the following:

* I will create a container with the browser and flag (at /flag) inside.
* I will run the browser with command: `chromium-browser --headless --no-sandbox --disable-gpu --virtual-time-budget=60000 $URL`.
* I will wait until the browser dies or the container times out (60 seconds).
* I will destroy the container.
tiwanari commented 5 years ago

$ cat pow_solver.py

#!/usr/bin/env python2
# -*- coding: utf-8 -*-

import hashlib, string, struct, sys

def solve_pow(chal, n):
  r = 0
  while True:
    s = chal + struct.pack("<Q", r)
    h = int(hashlib.sha256(s).hexdigest(), 16)
    if h % (2 ** n) == 0:
      break
    r += 1
  return r

if __name__ == '__main__':
  if len(sys.argv) != 3:
    print 'Usage: python pow.py chal n'
    sys.exit(1)
  result = solve_pow(sys.argv[1], int(sys.argv[2]))
  print result
tiwanari commented 5 years ago

$ cat challenge.patch

diff --git a/src/compiler/access-info.cc b/src/compiler/access-info.cc
index 0744138..1df06df 100644
--- a/src/compiler/access-info.cc
+++ b/src/compiler/access-info.cc
@@ -370,9 +370,11 @@ PropertyAccessInfo AccessInfoFactory::ComputeDataFieldAccessInfo(
       // The field type was cleared by the GC, so we don't know anything
       // about the contents now.
     }
+#if 0
     unrecorded_dependencies.push_back(
         dependencies()->FieldRepresentationDependencyOffTheRecord(map_ref,
                                                                   descriptor));
+#endif
     if (descriptors_field_type->IsClass()) {
       // Remember the field map, and try to infer a useful type.
       Handle<Map> map(descriptors_field_type->AsClass(), isolate());
@@ -384,15 +386,17 @@ PropertyAccessInfo AccessInfoFactory::ComputeDataFieldAccessInfo(
   }
   // TODO(turbofan): We may want to do this only depending on the use
   // of the access info.
+#if 0
   unrecorded_dependencies.push_back(
       dependencies()->FieldTypeDependencyOffTheRecord(map_ref, descriptor));
+#endif

   PropertyConstness constness;
   if (details.IsReadOnly() && !details.IsConfigurable()) {
     constness = PropertyConstness::kConst;
   } else {
     map_ref.SerializeOwnDescriptor(descriptor);
-    constness = dependencies()->DependOnFieldConstness(map_ref, descriptor);
+    constness = PropertyConstness::kConst;
   }
   Handle<Map> field_owner_map(map->FindFieldOwner(isolate(), descriptor),
                               isolate());
tiwanari commented 5 years ago

$ cat Dockerfile

FROM ubuntu:latest
MAINTAINER i@shiki7.me

# OPTIONAL: Switch source
RUN sed -i "s/http:\/\/archive.ubuntu.com/http:\/\/jp.archive.ubuntu.com/g" /etc/apt/sources.list

# install packages
RUN apt update && apt upgrade -y
RUN apt install -y ca-certificates fonts-liberation libappindicator3-1 libasound2 libatk-bridge2.0-0 libatk1.0-0 libatspi2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libgcc1 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libnss3 libpango-1.0-0 libpangocairo-1.0-0 libuuid1 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 wget xdg-utils

# install custom chrome
ADD ./chromium-browser-stable_79.0.3912.0-1_amd64.deb /tmp/
RUN dpkg --install /tmp/chromium-browser-stable_79.0.3912.0-1_amd64.deb

# add flag to /
ADD ./flag /flag
RUN chmod 644 /flag

CMD ["/bin/bash"]
tiwanari commented 5 years ago

向こうが /flag をもつコンテナを立てて、そこでパッチを当てた Chromium を

chromium-browser --headless --no-sandbox --disable-gpu --virtual-time-budget=60000 $URL

として起動する。

その後こちらが指定したURLにアクセスしてくる。

chromium に /flag の中身を送るようなウェブサイトを立てれば良いっぽさがある。

tiwanari commented 5 years ago

http://13.52.191.222:13337/ にはURLとPoW (proof-of-work) を入れるボックスがあって、以下の注意書きがある

Submission for challenge "accessible"
* URLs should begin with either 'http://' or 'https://'.
* Allowed URL characters: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789/:.%@
* Use the script provided to generate a valid proof-of-work, parameters: ZpHgTvgC 26

parameters: ZpHgTvgC 26

これを以下のように pow_solver.py に与えればそのうち答えがかえってくる

python pow_solver.py ZpHgTvgC 26

ZpHgTvgC 26 の部分は毎回変わるので、単に何度も続けてリクエストさせるのを避けるために使われている

tiwanari commented 5 years ago

chromium-browser --headless --no-sandbox --disable-gpu --virtual-time-budget=60000 $URL

http://chrome.half-moon.org/43.html#c776272a

Sandbox(ウィキペディア)の外でプロセスを動作させます。
*警告*
この起動オプションを使用すると安全性が低下しますので、常用するべきではありません。
※バージョン5.0.371.0以降では、起動時に黄色い情報バーが現れ警告メッセージが表示されます。
// If set the system waits the specified number of virtual milliseconds before
// deeming the page to be ready.  For determinism virtual time does not advance
// while there are pending network fetches (i.e no timers will fire). Once all
// network fetches have completed, timers fire and if the system runs out of
// virtual time is fastforwarded so the next timer fires immediatley, until the
// specified virtual time budget is exhausted.
const char kVirtualTimeBudget[] = "virtual-time-budget";