Tor Related CTF Collection

https://penafieljlm.com/2016/10/29/ekoparty-ctf-2016-write-ups/#fbi-100

https://github.com/MOCSCTF/CTF-Write-UP/tree/master/Web/Hacktober2020%20-%20What%20Lies%20In%20The%20Shadows

http://lockboxx.blogspot.com/2014/04/nuit-du-hack-2014-quals-ctf-writeup.html

https://medium.com/secjuice/ctfjawn-2017-bsides-philly-write-up-801206d73f57

https://infosecwriteups.com/things-i-learnt-from-h-cktivitycon-2021-ctf-31d7a7cdc3fe

https://infosecwriteups.com/configuring-tor-with-python-1a90fc1c246f

https://mstajbakhsh.ir/onionfarm-writeup/

https://zsecurity.org/how-to-use-burpsuite-with-tor-as-proxy/

https://blog.shuye.dev/2020/07/cybrics-ctf-writeup/

Buckeye CTF 2023: Ogrechat(easy)

By mbund The tor-only accessible chatting webapp for ogres! http://ogresogtmou2q5uoh3ctyd4wfc4n3pghyxvf4zyi5fm3ou6u5mdyshid.onion

attachment

This is a chat webapp on an onion site.

entrypoint.sh

pnpm start & > next-site-log 2>&1 # onion service
python3 -m http.server 8080 -d flag & > python-flag-log 2>&1 # python server hosting the flag dir

tail -f /dev/null

Goal: leak IP address of the onion site and visit flag dir.

ogrechat-export/src/app/chat/[roomId]/page.tsx (TypeScript is a strongly typed programming language that builds on JavaScript)

async function fetchUrlData(url: string) {
  const response = await fetch(url);
  const html = await response.text();
  const $ = cheerio.load(html);

  const favicon =
    $('meta[property="og:image"]').attr("content") ||
    $('link[rel="icon"]').attr("href") ||
    "/favicon.ico";
  const title = $("title").text();
  const description = $('meta[name="description"]').attr("content");

  return { favicon, title, description, url };
}

async function Message({ message }: { message: Message }) {
  const session = getSession();
  const urls = await extractUrlsFromMessage(message.text);

  const previews = await Promise.all(
    urls.map(async (url) => await fetchUrlData(url)),
  );

The function fetchUrlData() feteches favicon, title, description to form a preview when the user sends a message containing a URL. (const response = await fetch(url);)

This means the server running the onion service needs to send an HTTP request to a third-party server, which can be used to leak the IP address.

So we can send a message containing a webhook address. e.g. webhook.site

Then visit the HTTP service with the leaked IP to get flag.