DerpCon CTF: SecureMessage

By: ohai 4 years ago
CTF DerpCon RunCode

SecureMessage appears to be a messaging platform where you can send messages to other users. Another app just asking to be XSS’d. We can send messages to ourself, so that’s a pretty decent testing ground to see if we can get some XSS working. I’ll start by sending some basic XSS to myself, using differing payloads just in case one hits and the other does not.

img

Hitting the Get Messages button shows us the new message and a read button. No alert() but we should look at the message itself.

img

img

Interesting. It looks like the subject is stripping away the script tags and the message portion is being htmlentities'd so we can pretty much just discard it.

img

There’s about 5000 ways around this, but let’s do the dumb one! Maybe we can get away with nesting the script tags like so <<script>script>.

img

We get a little different result when we view our message list this time…

img

Then when we open the message itself…

img

MONEY!! Now, we’ll craft up a slight variation on what we used for Khanslist.

img

When it lands on our listener, we’ll see two requests with the payload encoded (that would be the view messages page) and a third hit with the admin cookie where the admin viewed our message!

img

So we load up that shiny new cookie and check our messages. Wewt, got a flag… derp{silly_fixes_are_silly_sadface_dot_jpg}

img


Comments: 0

Unmoderated: 0 Spam: 20