https://www.hackthebox.eu/invite

eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{}))

data: {data: "Va beqre gb trarengr gur vaivgr pbqr, znxr n CBFG erdhrfg gb /ncv/vaivgr/trarengr", enctype: "ROT13"}

curl -XPOST ❯ curl -XPOST https://www.hackthebox.eu/api/invite/generate
{"success":1,"data":{"code":"TU9WWlItWVZVWlUtWVJBSVUtR1ZQQ1ItWk1VUVY=","format":"encoded"},"0":200}
~
❯

base64 decode

MOVZR-YVUZU-YRAIU-GVPCR-ZMUQV

Browser Exploitation

• Old Webkit Download

https://trac.webkit.org/browser/webkit/tags

* [Safari-605.1.15.2](https://trac.webkit.org/browser/webkit/tags/Safari-605.1.15.2)
* SVN: 225504
* 

$ svn checkout -r225504 https://svn.webkit.org/repository/webkit/trunk Webkit.225504
.
.
A    Webkit.225504/Makefile.shared
A    Webkit.225504/ReadMe.md
 U   Webkit.225504
Checked out revision 225504.
$

$ cd Webkit.225504
$ cd Tools/Scripts

$ ./build-webkit --jsc-only --debug
*************************************************************
Xcode 7.0 or later is required to build WebKit.

• brew install cmake
• 하지만 실패

❯ git clone git://git.webkit.org/WebKit.git Webkit.git
❯ cd Webkit.git

~/Study/BrowserExploitation/Safari/vulversion01/Webkit.git master
❯ git checkout 3af5ce129e6636350a887d01237a65c2fce77823
파일을 가져옵니다: 100% (77520/77520), 완료.
주의: '3af5ce129e6636350a887d01237a65c2fce77823' 체크아웃하기.

지금 'HEAD가 분리된' 상태입니다. 이 상태에서는 여기저기 돌아보고,
실험적으로 바꾸고 커밋하더라도, 체크아웃할 수 있는 다른 브랜치에
영향을 미치지 않고 변경 사항을 잃어버릴 수 있습니다.

커밋을 유지하는 브랜치를 새로 만드려면, (지금이든 나중이든) 체크아웃
명령을 다시 하면서 -b 옵션을 사용하면 됩니다. 예를 들어:

  git checkout -b <새-브랜치-이름>

HEAD의 현재 위치는 3af5ce129e6 Overlay with -webkit-overflow-scrolling:touch doesn't become scrollable after added text makes it taller https://bugs.webkit.org/show_bug.cgi?id=158342 rdar://problem/26652811

~/Study/BrowserExploitation/Safari/vulversion01/Webkit.git 3af5ce1... 32s
❯

• fixed 이슈를 확인해볼 수 있음

❯ git log --reverse --ancestry-path 3af5ce129e6636350a887d01237a65c2fce77823..master
commit 7cf9d2911af9f255e0301ea16604c9fa4af340e2
Author: mark.lam@apple.com <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Date:   Fri Nov 16 05:12:25 2018 +0000

    RegExp operations should not take fast patch if lastIndex is not numeric.
    https://bugs.webkit.org/show_bug.cgi?id=191731
    <rdar://problem/46017305>

    Reviewed by Saam Barati.

    JSTests:

    * stress/regress-191731.js: Added.

    Source/JavaScriptCore:

    This is because if lastIndex is an object with a valueOf() method, it can execute
    arbitrary code which may have side effects, and side effects are not permitted by
    the RegExp fast paths.

    * builtins/RegExpPrototype.js:
    (globalPrivate.hasObservableSideEffectsForRegExpMatch):
    (overriddenName.string_appeared_here.search):
    (globalPrivate.hasObservableSideEffectsForRegExpSplit):
    (intrinsic.RegExpTestIntrinsic.test):
    * builtins/StringPrototype.js:
    (globalPrivate.hasObservableSideEffectsForStringReplace):

    git-svn-id: http://svn.webkit.org/repository/webkit/trunk@238267 268f45cc-cd09-0410-ab3c-d52691b4dbfc

• valueOf() 에 문제가 있었다는 것을 확인해볼 수 있음.

$ xcode-select --install
xcode-select: note: install requested for command line developer tools
$ xcode-select -p
/Applications/Xcode.app/Contents/Developer
$ xcodebuild -version
Xcode 10.3
Build version 10G8

$ Tools/Scripts/build-webkit --jsc-only --debug
~/Study/BrowserExploitation/Safari/vulversion01/Webkit.git 3af5ce1...
$ cd WebKitBuild/Debug/bin/
$./jsc

>>> 1+1
2
>>> print("Hello")
Hello
undefined
>>> a = {}
[object Object]
>>> a.list=[1,2,3,4]
1,2,3,4