nc yana-bot.chal.uiuc.tf 1337
https://sigpwny.com/uiuctf/y.pngimage is loaded and placed in the
https://sigpwny.com/uiuctf/n.pngis loaded instead.
bot.jsscript, which is the "admin" bot that visits any URL we give it. Notice that the flag is first saved as a note on the challenge server before our chosen URL is visited.
n.pngimages are loaded based on the search output?
https://sigpwny.com/uiuctf/y.pngimage is fetched and cached.
onFrameLoad()function that will be called when the iframe of the notes site, containing the search query, is loaded.
template.htmlwith a placeholder for the search query.
exploit.pyscript can automate the bruteforce attack.
FLAGvariable. (Perhaps I should have wrote a cleaner solution?)
ngrokdomain, but as of Chrome version 85, cache partitioning was implemented to defend against cache probing attacks. This update by Google in October 2020 explains how the new cache partitioning system works.
y.pngwas downloaded from the network, not fetched from the cache!
https://yana.wtf/is actually saved in the cache key. This means that if we are able to control any
*.yana.wtfsubdomains, we would be able to bypass the cache partitioning since both requests would be originating from the same domain.
digcommand, we can find the DNS records configured for
Arecord maps the domain to the GitHub pages server.
*.yana.wtf. For instance,
b.yana.wtfdo not have any GitHub page associated with them, yet point to the GitHub pages server.
http://a.yana.wtf, therefore, will still forward the request to GitHub. GitHub looks for GitHub repositories with the appropriate
CNAMEfile. Since no repository is configured to serve
a.yana.wtf, a 404 page is shown.
a.yana.wtfto their repository, thereby taking over the
abc.yana.wtf, which creates the following
CNAMEfile in our repository.
http://abc.yana.wtf, we will find that our exploit is being served!
yana.wtfdomain, Chrome does not partition the cache. Notice that the first request, initiated by the iframe, fetched
y.pngfrom the network, while the second request, initiated by our exploit script, fetched
y.pngfrom the browser's cache.
y.pngwas cached, and made a callback to our
ngrokserver with the successful query.