# UIU CTF 2021 yana Write Up

### Summary

An XS-Leak is a vulnerability that can collect important data such as user information using the browser result for users based input value. If you want to study in deeping an xs-leak, You can study that refer to here :)

### What is cache probing

It is said that the loading speed of the resource file is different from the first time the browser loads the resource file and from the second time. The reason is that the second time the resource file is fetched, the image cache is fetched from disk, not by requesting it from the web server.

The photo on the right is when the image is first loaded, and the photo on the left is when the image is loaded the second time. If you look at the time, you can see that there is a difference by the ratio of 0ms : 48ms. So how can use this to link with XS-Leak?

### Exploit (Web) UIU CTF 2021 - yana [342 pts]

The challenge is leak the flag and using the cache probing and xs-leak :)

If you went to the challenge, you can see a notepad function as above. I checked, the function as top is to save a content and function as bottom is to search for saved memo.

So, I saved a memo as pocas and not_pocas. I did a saerch for pocas on the left and searched for asdf on the right after saved the memo.

OMG, I did a search and came up with surprising result!! It was immediately returned with a different color image!! I can know an important information here.

• Information
1. If you search for a cunrently saved memo, a green image appears.
2. If you search for a unsaved memo, a red image appears.

Now that I’ve done a functiona analysis, let’s analyze the client-side code.

• Analysis ( search() )
1. Get the currently stored content value using window.localStorage.getItem("note").
2. Get the query value using document.location.hash.substring(1).
3. Use note.includes(query) to check whether the value of the query is included in the note. ( Important )
4. If the query value is included in the note, a green image appears, otherwise a red image appears.

Now let’s analyze bot.js to get flags.

• Analysis ( bot.js )
1. Read the /flag.txt file and save it to FLAG variable.
2. Running a chrome instance using playwright-chromium.
3. Go to https://chal.yana.wtf, save FLAG in the note, and access the URL that we entered as an administrator. ( Important )

We learned a lot from our analysis !!

In bot.js, flags are stored in notes. Also we know the flag format. ( uiuctf{[a-z0-9_]} ). That is, we can brute force using uiuctf{. This is where ‘Cache Probing’ is used. I know that when I search for a value contained in a note, a green image appears.

Then, if we retrieve the value contained in the note, the browser loads a green image. At this time, since it is loaded for the first time, it will be cached on disk. At this time, if we retrieve the green image one more time, the image can be loaded much faster than the first time since the cache is already saved.

First of all, this is the exploit code that sends a query that is not saved in the memo. In the above situation, the browser will load a red image. Then the green image will take a lot of time because it is the first to load.

Let’s check it out.

Nice, When sending a query that does not contain it, it took about 43s?43ms.

Now, let’s check the loading time when sending the query included in the note.

OMG When sending the included query, it took about 3s?3ms?!!

Now let’s use this to brute force. However, when doing brute force, sending many requests at once can cause bot.js to close.

I got one letter and proceeded with a new run.

The exploit code is as above. So I’ll execute an exploit code!

(skip..)

Success! I got the flag :)