[HN Gopher] Challenge: can you view my source?
___________________________________________________________________
Challenge: can you view my source?
Author : colewilson
Score : 25 points
Date : 2021-12-03 17:43 UTC (5 hours ago)
(HTM) web link (nosource.cole.ws)
(TXT) w3m dump (nosource.cole.ws)
| mikewarot wrote:
| If my computer can get it, I can get it. It's a matter of
| ownership.
|
| wget worked for me
| dalmo3 wrote:
| Just reading the page is challenge in itself. It seems to timeout
| after 5 seconds and redirects to /haha. (Chrome/Android)
| colewilson wrote:
| Sorry about that! It doesn't work on touch devices very well
| right now because it relies on mouse movements. However, I just
| fixed it.
| dalmo3 wrote:
| No worries. Can confirm it's fixed, thanks!
| jim_dtrsec wrote:
| I cheated and used REnigma to make a recording of chrome.exe
| running the alert in a VM. Then I found an execution point where
| the alert was on screen, made a memory dump, and ran the strings
| analysis the chrome.exe parent process (which acts as a sandbox
| for the rendering processes and handles all system interactions).
| That gave me the all of the virtual addresses where that string
| existed (there were several copies). I then hooked up GDB to
| remotely debug the replay at that execution point and dumped the
| strings near that address to extract the complete file.
|
| 0x25ca4b13381: "\t/ _< 202e>_/if(!window._enabled){window._enable
| d=true;document.querySelector(\"button\").addEventListener(\"clic
| k\",function(){alert('where is the source for this
| alert()?');});};/ _< 202e>_/;function isTouchDevic"... (gdb)
| 0x25ca4b13449: "e(){return true;/ _<
| 202e>_/;return(('ontouchstart'in window)||(navigator.maxTouchPoin
| ts>0)||(navigator.msMaxTouchPoints>0));};/ _< 202e>_/;if(!isTouch
| Device()){setTimeout(function(){setInterval(function(){if(g"...
| (gdb) 0x25ca4b13511:
| "etComputedStyle(document.documentElement).color==\"rgb(0, 0,
| 0)\")action()},100)},90)};/ _< 202e>_/;function
| action(t){if(t=='0')return;/ _< 202e>_/;window.history.pushState(
| \".\",\"/haha\",\"/haha\");location=\"/haha\";"... (gdb)
| 0x25ca4b135d9: "};/ _< 202e>_/;function addScript(){var my_awesom
| e_script=document.createElement('script');my_awesome_script.setAt
| tribute('src','main.js?i=d9c89773dd');document.body.appendChild(m
| y_awesome_script);};/ _< 202e>_"... (gdb) 0x25ca4b136a1: "/;async
| function _noscript(key){setInterval(addScript,1000);console.log(\
| "%c\"+key,\"background-image:url(/ping?type=img&key=\"+key+\")\")
| ;setInterval(function(){fetch(\"/get?key=\"+key).then((r)=>r.text
| ()).t"... (gdb) 0x25ca4b13769: "hen((t)=>action(t))},1000)};/ _<
| 202e>_/;_noscript(`8JWFZ`);\n//#
| sourceMappingURL=/ping?type=src&key=8JWFZ\n//\a\033[2Jnothing to
| see here!\257\244\\\\\002"
| _Microft wrote:
| The button doesn't do anything in Firefox or Edge by the way.
| colewilson wrote:
| Sorry about that! The server I have it running on is getting to
| any requests and doesn't seem to be loading the script
| correctly
|
| EDIT: it's all fixed now!
| [deleted]
| joeframbach wrote:
| Charles Proxy captures the traffic just fine.
| ryankrage77 wrote:
| I couldn't get it in the web inspector or with mitmproxy :(
| NikolaeVarius wrote:
| Got it, took me a sec
| karmakaze wrote:
| My user agent can execute it, so I presume if I were to make the
| same requests in the same order with the same params, I'd be able
| to see it. I don't care to actually do it though, only to know
| that it could be done if there was actual motivation.
| colewilson wrote:
| Perhaps! There are also some tricks built in to stop you from
| curling it, as it will send some escape characters to your
| terminal that clear the screen.
| jazzyjackson wrote:
| I was able to capture main.js by using firefox inspector and
| throttling the connection to GPRS, and hitting the STOP
| before anything else happened. I'm surprised the escape
| characters prevented me from curling to a file tho.
| karmakaze wrote:
| I would have used a proxy.
| Nextgrid wrote:
| That assumes it can detect you're curling it in the first
| place.
| jazzyjackson wrote:
| the escape characters are embedded as comments in the
| source code whether or not you curl it
| c0wb0yc0d3r wrote:
| Is the page borked? It will let me view the page for a bit,
| and then I'm redirected to /haha. (I didn't try to inspect an
| element.)
| colewilson wrote:
| it does have some false positives, like when your mouse
| leaves the page. Sorry about that!
| sandreas wrote:
| I really appreciate to not see the full solutions in the comments
| :-) Was a very nice puzzle and I would appreciate an article by
| the author on how it is exactly done and how he came up with the
| idea...
|
| Thanks man.
___________________________________________________________________
(page generated 2021-12-03 23:02 UTC)