I’ve been out of practice for CTFs as of late, but SEC-T just ran a short but fun CTF that had a number of quick problems which I thoroughly enjoyed. Here I will focus on Admin I & II, both XSS problems created by Mathias Karlsson.
Admin I — Web 100
Can you alert(1) this page (in firefox)?
Sure, I’ll take that challenge: the page asks if you can achieve an xss of alert(1) and gives you a link with the injectable parameter (http://xss1.sect.ctf.rocks/?xss=stuff). The resulting script on the page looks like this:
<script>
dontrunthisscript();
var a = “stuff”;
</script>No matter what you inject to replace “stuff”, you will find that the code will not run since it attempts to call dontrunthisscript() first, which isn’t defined. Additionally the “<” character was filtered out, so we couldn’t just make our own new <script> block :( .
So we define the function ourselves and make it call alert(1) (The irony was lost on the js console, it ran it without any interruptions). The below payload resulted in the script below and a nice alert(1) box.
Payload: http://xss1.sect.ctf.rocks/?xss=stuff”; function dontrunthisscript(){ alert(1); } “
<script>
dontrunthisscript();
var a = “stuff”; function dontrunthisscript(){ alert(1); } “”;</script>
I submitted the payload and was treated to my first flag:
sect{h0ist_uR_funct10n5_h0ist_y0_w1fe}
Admin II — Web 200
The second XSS challenge showed a similar page, but the alert(1) was harder to achieve. Though we no longer had an undefined function to deal with, we could not use = or parentheses. This made injection fairly difficult because any methods I knew of to get arround using parentheses (usually something like onerror=alert;throw 1;) at least required the equals sign.
After doing some reading I came across this stackoverflow discussion (I’d be lost without stackoverflow ❤) which discusses calling javascript functions with template literals instead of using parentheses and an argument:
A tagged template is a function call where the arguments of the call are derived from a TemplateLiteral (12.2.9). The actual arguments include a template object (12.2.9.3) and the values produced by evaluating the expressions embedded within the TemplateLiteral.
As I am no javascript expert, what this means to me is I can call alert(1) by using backticks instead of parens.
Payload: http://xss2.sect.ctf.rocks/?xss=”; alert`1`; “
<script>
var a = ""; alert`1`; "";
</script>Submitting the above payload gave me the flag: sect{c4t_g0t_ur_p4r3nth3s3s?}
Both challenges were fun, and I hadn’t come across the template literal method used in Admin II before, so I learned a new technique, which is always great. Thanks to SEC-T and @avlidienbrunn & @SEC_T_org for the opportunity.
