Try   HackMD

HKCERT CTF 2023 Return of babyUXSS return (回到富康街寵物公園)

Solved by O0034 - Mystiz's Fan Club

Details

Author: ken
Category: pwn
Difficulty: ★★★★★
Description:

CTF player must know how to UXSS again. (其實唔難)

Web: http://return-of-babyuxss-return-4iz5ng.hkcert23.pwnable.hk:4444/

(500 points, Tertiary: 0 solve, Open: 1 solve, International: 1 solve)

No attachment was provided.

TL;DR

CVE-2023-3079
https://github.com/mistymntncop/CVE-2023-3079

Walkthrough

https://hackmd.io/@hollowctf/hkcert2022-babyUXSS-return
The procedure is 99.9% the same as babyUXSS return in HKCERT CTF 2022, except for a newer Chrome version (90 -> 114) so we need another exploit. This time we have found our serendipity, kudos to my teammate @botton for finding a HTML POC (https://github.com/vu-ls/Zenbleed-Chrome-PoC/tree/main) after I suggested him the possible CVE number. Unfortunately I went to sleep and missed the first blood.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Change the shellcode in line 248 to a reverse TCP shell shellcode generated by msfvenom and you are good to serve.

Last changed by 
Hollow
0
146

Read more

HKCERT CTF 2022 babyUXSS return (富康街寵物公園)

Almost (i.e. not) solved by O0056 - T0003 (2022) @ TWY’s Temple in the time of the competition.

Nov 18, 2022
Read more from Hollow
Published on HackMD