💾 Archived View for dioskouroi.xyz › thread › 29432767 captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content
⬅️ Previous capture (2021-12-03)
-=-=-=-=-=-=-
________________________________________________________________________________
I cheated and used REnigma to make a recording of chrome.exe running the alert in a VM. Then I found an execution point where the alert was on screen, made a memory dump, and ran the strings analysis the chrome.exe parent process (which acts as a sandbox for the rendering processes and handles all system interactions). That gave me the all of the virtual addresses where that string existed (there were several copies). I then hooked up GDB to remotely debug the replay at that execution point and dumped the strings near that address to extract the complete file.
0x25ca4b13381: "\t/_<202e>_/if(!window._enabled){window._enabled=true;document.querySelector(\"button\").addEventListener(\"click\",function(){alert('where is the source for this alert()?');});};/_<202e>_/;function isTouchDevic"...
(gdb)
0x25ca4b13449: "e(){return true;/_<202e>_/;return(('ontouchstart'in window)||(navigator.maxTouchPoints>0)||(navigator.msMaxTouchPoints>0));};/_<202e>_/;if(!isTouchDevice()){setTimeout(function(){setInterval(function(){if(g"...
(gdb)
0x25ca4b13511: "etComputedStyle(document.documentElement).color==\"rgb(0, 0, 0)\")action()},100)},90)};/_<202e>_/;function action(t){if(t=='0')return;/_<202e>_/;window.history.pushState(\".\",\"/haha\",\"/haha\");location=\"/haha\";"...
(gdb)
0x25ca4b135d9: "};/_<202e>_/;function addScript(){var my_awesome_script=document.createElement('script');my_awesome_script.setAttribute('src','main.js?i=d9c89773dd');document.body.appendChild(my_awesome_script);};/_<202e>_"...
(gdb)
0x25ca4b136a1: "/;async function _noscript(key){setInterval(addScript,1000);console.log(\"%c\"+key,\"background-image:url(/ping?type=img&key=\"+key+\")\");setInterval(function(){fetch(\"/get?key=\"+key).then((r)=>r.text()).t"...
(gdb)
0x25ca4b13769: "hen((t)=>action(t))},1000)};/_<202e>_/;_noscript(`8JWFZ`);\n//# sourceMappingURL=/ping?type=src&key=8JWFZ\n//\a\033[2Jnothing to see here!\257\244\\\002"
May work, but there is a way easier strat... would you mind removing at least the sourcecode from your answer to keep the challenge more interesting?
I really appreciate to not see the full solutions in the comments :-) Was a very nice puzzle and I would appreciate an article by the author on how it is exactly done and how he came up with the idea...
Thanks man.
My user agent can execute it, so I presume if I were to make the same requests in the same order with the same params, I'd be able to see it. I don't care to actually do it though, only to know that it could be done if there was actual motivation.
Perhaps! There are also some tricks built in to stop you from curling it, as it will send some escape characters to your terminal that clear the screen.
I was able to capture main.js by using firefox inspector and throttling the connection to GPRS, and hitting the STOP before anything else happened. I'm surprised the escape characters prevented me from curling to a file tho.
Yep.. throttling the connection worked for me too!
Is the page borked? It will let me view the page for a bit, and then I'm redirected to /haha. (I didn't try to inspect an element.)
it does have some false positives, like when your mouse leaves the page. Sorry about that!
I would have used a proxy.
That assumes it can detect you're curling it in the first place.
the escape characters are embedded as comments in the source code whether or not you curl it
Cole added a v2 after a few dozen folks solved the first version. v2 was a bit trickier, but took me about the same amount of time since I didn't have to solve it all from scratch, just the weird new bits. Looking forward to v3!
The sourcemap trick is really nice, I wouldn't have thought of that.
It's easy enough to dump the responses as HAR and run the little bit of of char code manipulation at the bottom (replace eval() with document.write() to see it). The button doesn't work in Firefox though, so I wasn't too surprised to get incomplete source code out too.
Got it (although it doesn't seem to work on MSIE), which I guess is fine. However, it reminded me of
https://www.sitepoint.com/community/t/i-found-a-way-to-hide-...
.
The button doesn't do anything in Firefox or Edge by the way.
Sorry about that! The server I have it running on is getting to any requests and doesn't seem to be loading the script correctly
EDIT: it's all fixed now!
Just reading the page is challenge in itself. It seems to timeout after 5 seconds and redirects to /haha. (Chrome/Android)
Sorry about that! It doesn't work on touch devices very well right now because it relies on mouse movements. However, I just fixed it.
No worries. Can confirm it's fixed, thanks!
Seems easy enough, I just opened devtools, enabled breakpoint on XHR and refreshed page, it drops straight into debugger with full code.
Can you actually see the alert() function though? There is a little bit of decoding that must be done even after the source is viewed.
Yes.
https://i.imgur.com/YMn1t8L.png
I couldn't get it in the web inspector or with mitmproxy :(
I'll give you a hint: the page knows when you have DevTools open. Now, how could it do that?
If my computer can get it, I can get it. It's a matter of ownership.
wget worked for me
Seems it works only in Chrome (not Firefox). Nice one, though.
Charles Proxy captures the traffic just fine.
Got it, took me a sec
