Welcome fellow Hackers this is my solution to the Halloween challenge from Intigriti it is definitely not the most complicated one and really easy to understand. So let's find out if my explanation supports that thesis.
Introduction:
Intigritis October challenge is this time made by @0xTib3rius and definitely is a nice little challenge to flex those xss muscles. The tips were definitely helpful but not that revealing like always.
Lets Start:
Lets look at the challenge and try to figure out what its about. (https://challenge-1021.intigriti.io/)
Let's see where the actual challenge lies. By pressing f12 we find where the actual interesting part is. (https://challenge-1021.intigriti.io/challenge/challenge.php) is our main target this time. We will also remember to use the ?html parameter.
Lets dig into the HTML:
After a bit of scrolling we find that the main challenge probably lies in the javascript.
And lets try to use the parameter we are hinted to use. We use the word test to simply see how our data is reflected in the HTML.
We see that our data is replacing the old text. Lets try out some tags to maybe find some sort of html injection. So lets try using <h2>test</h2>
By looking at the html we know that we don't have to try something like script to try to get our reflected xss. The reason for that is the CSP that does not allow us to run js that is not allowed by the CSP itself. So there is probably another way.
Digging a bit more
When we look at the js again we find out that there is another parameter called xss that is also read and probably reflected.
So let's enter our payload and see what happens. Our payload.
html=<h2>test</h2>&xss=alert(document.domain);
Nothing happens let's look at the HTML and see where it might have reflected.
But there it is alert in a script tag. Because of the 4 little things in front of the xss payload it wont fire. The number 4 will be relevant in this Challenge and by looking at the code again we will find out why.
Let's find out how that thing is thinking. We see that the code tries to get the last element of the element with the id body. It stores the data in c and checks if its id is Intigriti if that is the case the code then selects the last element of that element. With that information it creates a string and takes the last 4 characters and adds it to the front of the payload in the script.
Find out what to do and how to do it.
With the information about the code and the information about those 4 characters we know that we have to somehow manipulate the HTML structure stuff.
The <div> tag is pretty useful in this case cause it divides the HTML document.
So we have everything in our body div element.
And the id of the last element is container by typing c.id in the console we can confirm it.
So how can we change it how about closing the div tag we are inside and create a new one with the right id. Besides that we add another <div> so the following div is one layer below. so we enter that with our new xss payload
html=</div>Data<div%20id="intigriti"><div>&xss=;alert(document.domain);
And check if c.id is intigriti
And check if the last 4 characters are displayed.
We see that the string has changed and placed the span> tag in front of the payload like we have expected it.
Cleaning up the payload and Exploiting the Bug
No that was close but way to easy for an Intigriti challenge. The next thing to do is to fix the payload and the escaping sequence in front of the string.
We play around with the HTML and try a few things cause we don't know the browsers way of fixing html.
After a bit of researching we find out that by opening a tag and not closing it the browser tries to fix the HTML tag.
Lets say he does that a bit special.
By opening a tag like this
<n'(
and adding the required symbols to make our payload work we trick the browser to create the closing tag for the same tag by this the javascript fixes the javascript and lets us use our custom content.
https://challenge-1021.intigriti.io/challenge/challenge.php?html=%3C/div%3E%3Cdiv%20id=%22intigriti%22%3E%3Cdiv%3E%3Cn%27(&xss=;alert(document.domain);
By entering this we can now mark this challenge as done.
THE PAYLOAD WORKS and we can thank Intigriti for another great challenge.
Thanks for reading please leave a like if that writeup helped you.