XS-Search — Secret Note Keeper, Facebook CTF 2019
The 0ld-day of facebook ctf
Hi guys, long time no write.
Last week, I played Facebook CTF 2019 with PwnPHOfun CTF team. This CTF really cool, nice web challs. I solved secret note keeper chall, below are the details.
Overview:
This chall opened with simple login register and login form. Let’s create an account and review function.
Workflow:
- Create note: You can create note with note title as the name and body (secret info!) as the value (this is the secret one).
- Search notes: After create note, you can search about that note, just need input first character of the secret info.
- Report bugs: ¯\_(ツ)_/¯
After some fuzzing and testing with report bugs function, I got an outbound connection to my VPS.
54.202.247.24 — — [01/Jun/2019:04:04:50 +0000] “GET /ducnt.html HTTP/1.1” 200 396 “-” “Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/74.0.3729.169 Safari/537.36”
HeadlessChrome, so basically, this chall really about client-side vulnerability.
So with the first sight with HeadlessChrome, I thought this chall is about XSS problem, however when testing with all function, there are htmlentities filter, this going to a conclusion that exploit XSS vulnerability is impossible.
Looking about these function, I noticed that there is a problem in search notes function. Basically you just input the first character in secret info section, there is an iframe loaded with details of name and content of this note. This lead to a clue that really exist a vulnerability in report bugs function, and this vulnerability called XS-Search (sound familiar).
There are many article about this vulnerability, you can get some references at:
- https://www.youtube.com/watch?v=HcrQy0C-hEA
- https://medium.com/@luanherrera/xs-searching-googles-bug-tracker-to-find-out-vulnerable-source-code-50d8135b7549
- https://twitter.com/l4wio/status/1079108559504322560
- https://portswigger.net/daily-swig/cross-site-search-attack-applied-to-snoop-on-googles-bug-tracker
Let’s me explain simple about that bug with my knowledge (correct me if I’m wrong :D). Basically if you have a banking account with $5M, somehow with this bug, I can extract your balance :D. That is the impact of this vulnerability.
Back to the chall, how to get the flag ???.
In the description, author noted: Find the secret note that contains the fl4g!. So only admin can search fl4g note with flag detail. In this case, admin is bot. Somehow we will force bot for searching flag and return content with char by char for us.
Xploit flow:
- Prepare exploit script and host on your VPS.
- Prepare exploit code that solve pow and automatic send your exploit script in (1).
- Tracking in your access.log on your VPS with char by char of flag sent from bot.
- Capture the flag.
Xploit code:
- exploit1337.html: http://0x1337.space/fbctf2019/exploit1337.html
- exploit.js: http://0x1337.space/fbctf2019/exploit.js
- exploit.py: http://0x1337.space/fbctf2019/exploit.py
For example: I created a note with note title aaaaaaaa and content flag is: fbflagflag. Setup xploit script which brute force from fb keyword. And the next character expected is f:
It worked
Running exploit simply: $ python exploit.py && tracking in your access.log. Update flag in const flag of exploit.js and repeat (because timeout is 5 seconds, so you can extract one or two character in one exploit session)
Capture the flag:
And the flag is: fb{cr055_s173_l34|<5_4r4_c00ool!!} (In the first extract, I get a wrong flag with just 1 byte :’(, this gave me 2 hours for troubleshoot).
Thanks for reading and sorry for my bad engrisk (toeic 900 :’( ). However, in this CTF, facebook used ctfd.io, I really miss the old of facebook CTF framework, it’s really c00ool!!
