[0CTF 2016 Quals] Guestbook(1) – 7 pts

#CLGT-Meepwn

Well this challenge is quite interesting, it took me and Tri a lot of time to solve this.
First we will see the challenge look like this:


view-source, something interesting appear:

//process input like this
$name = filter($_POST[‘username’]);
$message = filter($_POST[‘message’]);
$secret =base64_encode($_POST[‘secret’]);

do the rest work

admin use chrome and use your plaintext secret to find your post

$name,$message have been filter-ed in input (and output)
$secret will be base64 encoded then saved in database.

Look at the description of the challenge: “the flag is in the http-only cookie“, so i guess this is xss challenge. Since the bot use chrome, so i was thinking about “Content Security Policy

Let test this:

Yes, XSS Auditor (or CSP) detect XSS in our input and block it:

more…it has been blocked in source code (i guess)
The debug variable isn’t false now:

Now set the value of Username=”debug” to define it and make it true. While the debug is true, i can active XSS to force admin send me some html source.
Our payload to get this:

http://pastebin.com/5JZB5Rrt

/admin/show.php:

so we know there is a server_info.php in admin folder.
Last step: Find a admin cookie
Since the http-only flag is on, you can’t steal cookie, but you can get it from phpinfo!
when i was doing this challenge, it’s not a phpinfo() page, and we have to find it, but now it is. So all we have to do is force admin send the “/admin/server_info.php“, and get flag!

Happy hacking!

12 thoughts on “[0CTF 2016 Quals] Guestbook(1) – 7 pts

  1. Wow that was unusual. I just wrote an very long comment but after I clicked submit my comment
    didn’t appear. Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say
    fantastic blog!

    Like

  2. Thanks for your personal marvelous posting! I actually enjoyed reading it, you’re
    a great author. I will always bookmark your blog and will often come back sometime soon. I want to encourage you to definitely continue your great posts,
    have a nice afternoon!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s