Guild icon
Project Sekai
🔒 GDG Algiers CTF 2022 / ❌-web-yatodo
Avatar
Sutx BOT 10/08/2022 2:01 AM
yatodo - 500 points
Category: Web Description: > Yet another todo app. Submit your URLs to: nc -v web.chal.ctf.gdgalgiers.com 1608 Author : vvxhid Files:Tags: No tags.
10/08/2022 2:01 AM
Sutx pinned a message to this channel. 10/08/2022 2:01 AM
Avatar
Sutx BOT 10/08/2022 2:04 AM
@Violin wants to collaborate 🤝
02:08
@crazyman ai wants to collaborate 🤝
Avatar
Sutx BOT 10/08/2022 4:16 AM
@irogir wants to collaborate 🤝
Avatar
Sutx BOT 10/08/2022 6:41 AM
@jayden wants to collaborate 🤝
Avatar
Sutx BOT 10/08/2022 12:53 PM
@strellic wants to collaborate 🤝
Avatar
strellic 10/08/2022 12:54 PM
xss chall, looking at this
12:56
protopoll in combineSettings
12:58
ive never used svelte before 😨
Avatar
strellic 10/08/2022 1:11 PM
lmfao
13:11
if (settings instanceof Array && !Array.isArray(settings)) {
13:11
what a stupid check
13:14
that check is so derived its not even funny
13:14
?settings[__proto__]=a&settings[__proto__]=b&settings[__proto__]=c&settings[__proto__]=d
13:14
why would you ever have a check for a "variable that is an instance of array" that also fails "Array.isArray"
Avatar
sahuang 10/08/2022 1:14 PM
true lol
Avatar
strellic 10/08/2022 1:15 PM
anyway protopoll vec /?settings[__proto__]=__proto__&settings[__proto__]=x&settings[__proto__]=a&settings[__proto__]=b
Avatar
sahuang 10/08/2022 5:39 PM
is this close or like in progress? peepoo
Avatar
strellic 10/08/2022 6:30 PM
probably like 50% there but i had to leave to work on school stuff 😔
18:30
when does CTF end
Avatar
sahuang 10/08/2022 6:30 PM
oof
18:30
16 hours
Avatar
strellic 10/08/2022 11:22 PM
anyway my progress on this is that we can protopoll
23:23
from what it looks like, we can get xss here <div> <!-- heading/subheading text --> {#each Object.entries($$props) as [key, value]} {#if key === "heading"} <h1>{value}</h1> {:else if key === "subheading"} <h3>{value}</h3> {:else} {@html value} {/if} {/each} </div>
23:23
if we can protopoll something like Object.prototype.x = "<img src=x onerror=alert(1) />"
Avatar
Avatar
strellic
anyway protopoll vec /?settings[__proto__]=__proto__&settings[__proto__]=x&settings[__proto__]=a&settings[__proto__]=b
strellic 10/08/2022 11:23 PM
but using ^ we can only protopoll like
23:23
from this function const generateTemplate = (arr) => Array.isArray(arr) && `{"${arr[0]}": {"${arr[1]}": {"${arr[2]}":"${arr[3]}" }}}`;
23:24
which will end up looking like: {"__proto__": { "x": { "b": "c" } } }
23:24
which is an extra layer than we want
23:24
this JSON injection is really sus, but i haven't figured out what to do with it yet
23:24
since there's a filter
23:24
const cleanStr = (str) => decodeURI(str).replaceAll(/[,"{}]/g, "");
23:24
pain
23:26
anyone have any ideas for JSON injection from this: const generateTemplate = (arr) => Array.isArray(arr) && `{"${arr[0]}": {"${arr[1]}": {"${arr[2]}":"${arr[3]}" }}}`; given that every element in the array goes through this: const cleanStr = (str) => decodeURI(str).replaceAll(/[,"{}]/g, "");
Avatar
Sutx BOT 10/08/2022 11:58 PM
@ElleuchX1 wants to collaborate 🤝
Avatar
Sutx BOT 10/09/2022 2:53 AM
@TheBadGod wants to collaborate 🤝
Avatar
crazyman ai 10/09/2022 3:19 AM
TheBadGod xd
Avatar
Sutx BOT 10/09/2022 5:47 AM
@Zafirr wants to collaborate 🤝
Exported 39 message(s)