nc yana-bot.chal.uiuc.tf 1337
document.location.hash
.https://sigpwny.com/uiuctf/y.png
image is loaded and placed in the output
div.https://sigpwny.com/uiuctf/n.png
is loaded instead.bot.js
script, which is the "admin" bot that visits any URL we give it. Notice that the flag is first saved as a note on the challenge server before our chosen URL is visited.y.png
and n.png
images are loaded based on the search output?https://sigpwny.com/uiuctf/y.png
image is fetched and cached.https://sigpwny.com/uiuctf/y.png
image.onFrameLoad()
function that will be called when the iframe of the notes site, containing the search query, is loaded.template.html
with a placeholder for the search query.exploit.py
script can automate the bruteforce attack.FLAG
variable. (Perhaps I should have wrote a cleaner solution?)ngrok
domain, but as of Chrome version 85, cache partitioning was implemented to defend against cache probing attacks. This update by Google in October 2020 explains how the new cache partitioning system works.attacker-site
, notes-app-site
, image-url
)attacker-site
, attacker-site
,image-url
).y.png
was downloaded from the network, not fetched from the cache!https://chal.yana.wtf/
, only https://yana.wtf/
is actually saved in the cache key. This means that if we are able to control any *.yana.wtf
subdomains, we would be able to bypass the cache partitioning since both requests would be originating from the same domain.dig
command, we can find the DNS records configured for chal.yana.wtf
.A
record maps the domain to the GitHub pages server.A
record for *.yana.wtf
. For instance, a.yana.wtf
and b.yana.wtf
do not have any GitHub page associated with them, yet point to the GitHub pages server.http://a.yana.wtf
, therefore, will still forward the request to GitHub. GitHub looks for GitHub repositories with the appropriate CNAME
file. Since no repository is configured to serve a.yana.wtf
, a 404 page is shown.CNAME
file containing a.yana.wtf
to their repository, thereby taking over the a.yana.wtf
domain.abc.yana.wtf
, which creates the following CNAME
file in our repository.http://abc.yana.wtf
, we will find that our exploit is being served!yana.wtf
domain, Chrome does not partition the cache. Notice that the first request, initiated by the iframe, fetched y.png
from the network, while the second request, initiated by our exploit script, fetched y.png
from the browser's cache.https://abc.yana.wtf/exploit.html
URL.y.png
was cached, and made a callback to our ngrok
server with the successful query.