31 comments

[ 3.0 ms ] story [ 78.7 ms ] thread
The button doesn't do anything in Firefox or Edge by the way.
Sorry about that! The server I have it running on is getting to any requests and doesn't seem to be loading the script correctly

EDIT: it's all fixed now!

(comment deleted)
My user agent can execute it, so I presume if I were to make the same requests in the same order with the same params, I'd be able to see it. I don't care to actually do it though, only to know that it could be done if there was actual motivation.
Perhaps! There are also some tricks built in to stop you from curling it, as it will send some escape characters to your terminal that clear the screen.
That assumes it can detect you're curling it in the first place.
the escape characters are embedded as comments in the source code whether or not you curl it
Is the page borked? It will let me view the page for a bit, and then I'm redirected to /haha. (I didn't try to inspect an element.)
it does have some false positives, like when your mouse leaves the page. Sorry about that!
I was able to capture main.js by using firefox inspector and throttling the connection to GPRS, and hitting the STOP before anything else happened. I'm surprised the escape characters prevented me from curling to a file tho.
Yep.. throttling the connection worked for me too!
Just reading the page is challenge in itself. It seems to timeout after 5 seconds and redirects to /haha. (Chrome/Android)
Sorry about that! It doesn't work on touch devices very well right now because it relies on mouse movements. However, I just fixed it.
No worries. Can confirm it's fixed, thanks!
Charles Proxy captures the traffic just fine.
If my computer can get it, I can get it. It's a matter of ownership.

wget worked for me

I couldn't get it in the web inspector or with mitmproxy :(
I really appreciate to not see the full solutions in the comments :-) Was a very nice puzzle and I would appreciate an article by the author on how it is exactly done and how he came up with the idea...

Thanks man.

I cheated and used REnigma to make a recording of chrome.exe running the alert in a VM. Then I found an execution point where the alert was on screen, made a memory dump, and ran the strings analysis the chrome.exe parent process (which acts as a sandbox for the rendering processes and handles all system interactions). That gave me the all of the virtual addresses where that string existed (there were several copies). I then hooked up GDB to remotely debug the replay at that execution point and dumped the strings near that address to extract the complete file.

0x25ca4b13381: "\t/<202e>/if(!window._enabled){window._enabled=true;document.querySelector(\"button\").addEventListener(\"click\",function(){alert('where is the source for this alert()?');});};/<202e>/;function isTouchDevic"... (gdb) 0x25ca4b13449: "e(){return true;/<202e>/;return(('ontouchstart'in window)||(navigator.maxTouchPoints>0)||(navigator.msMaxTouchPoints>0));};/<202e>/;if(!isTouchDevice()){setTimeout(function(){setInterval(function(){if(g"... (gdb) 0x25ca4b13511: "etComputedStyle(document.documentElement).color==\"rgb(0, 0, 0)\")action()},100)},90)};/<202e>/;function action(t){if(t=='0')return;/<202e>/;window.history.pushState(\".\",\"/haha\",\"/haha\");location=\"/haha\";"... (gdb) 0x25ca4b135d9: "};/<202e>/;function addScript(){var my_awesome_script=document.createElement('script');my_awesome_script.setAttribute('src','main.js?i=d9c89773dd');document.body.appendChild(my_awesome_script);};/<202e>"... (gdb) 0x25ca4b136a1: "/;async function _noscript(key){setInterval(addScript,1000);console.log(\"%c\"+key,\"background-image:url(/ping?type=img&key=\"+key+\")\");setInterval(function(){fetch(\"/get?key=\"+key).then((r)=>r.text()).t"... (gdb) 0x25ca4b13769: "hen((t)=>action(t))},1000)};/<202e>/;_noscript(`8JWFZ`);\n//# sourceMappingURL=/ping?type=src&key=8JWFZ\n//\a\033[2Jnothing to see here!\257\244\\\002"

May work, but there is a way easier strat... would you mind removing at least the sourcecode from your answer to keep the challenge more interesting?
I'll give you a hint: the page knows when you have DevTools open. Now, how could it do that?
Seems it works only in Chrome (not Firefox). Nice one, though.
Seems easy enough, I just opened devtools, enabled breakpoint on XHR and refreshed page, it drops straight into debugger with full code.
Cole added a v2 after a few dozen folks solved the first version. v2 was a bit trickier, but took me about the same amount of time since I didn't have to solve it all from scratch, just the weird new bits. Looking forward to v3!
It's easy enough to dump the responses as HAR and run the little bit of of char code manipulation at the bottom (replace eval() with document.write() to see it). The button doesn't work in Firefox though, so I wasn't too surprised to get incomplete source code out too.
The sourcemap trick is really nice, I wouldn't have thought of that.