Hey girls and guys! Following a request for write-ups from Circles (excellent job organizing the CTF by the way), we’re going to analyze how we captured Charizard (in the form of a flag). Without further ado, let’s begin!
The description of the challenge from the player board gave us some clues:
“Store” and “hijack”.
Step 1: Identification
First things first! We needed to identify an input field that was vulnerable to XSS.
The most likely candidates for a stored XSS vulnerability are forum posts or comment boxes since these by default have to be persistent.
So having found where to inject our malicious payload, we needed to figure out how to get our flag! We knew Charizard likes to “hijack” stuff, so we assumed we had to actually exploit the XSS vulnerability to steal something (probably a cookie).
Step 2: Plan attack
This will force the victim’s browser to try and load a new image from the IP address provided by sending an HTTP Request for the resource /flag?=<their_cookies>.
To be in a position to capture the cookies, we needed to be listening on the IP address we specified in the payload. There were two ways to go about doing this:
- If we were going to be listening from our HOST machine, we needed to use our IP address.
- If we were going to use the PlayMon interface, we needed to use 127.0.0.1, localhost or the VM ip address. There was one extra caveat: we also needed to find a port we could bind to since we were not running as root and couldn’t use the default HTTP port 80.
For the sake of demonstration, we used the PlayMon interface as this was provided, and we used port 65000 (as this is a non-registered port). We started our netcat listener with the following command:
$ nc -lvnp 65000.
This basically mean:
- listen for incoming connections (-l),
- on port 65000 (-p 65000),
- be verbose (-v); and
- don’t do any DNS or service resolution (-n)
Step 3: Execute
Firstly, we setup our listener via the PlayMon interface so we could (hopefully) capture any incoming cookies using the command shown above.
Secondly, we had to adjust our payload to include the port number chosen for the attack (65000) and the loopback IP of the VM (127.0.0.1):
Thirdly, we posted a new comment with our new payload! Viewing the source, we saw it had been reflected back in the response. We patiently waited for Charizard to visit the vulnerable page…
We checked our PlayMon interface after ~20 seconds and saw that we had gotten our flag. Charizard captured!
So why did we get an incoming request on our listener that sent our flag? For those who don’t fully comprehend what an XSS vulnerability is, it might appear that we are exploiting the server to get our flag. However, this is incorrect as XSS is used to attack users of an application.
If you see the line starting with User-Agent in the above screenshot, you’ll see the string PhantomJS somewhere towards the end. PhantomJS is a headless, scripted browser (from wikipedia), which can be used to do exactly what we just described above for the purposes of the CTF.
Hope you found the above useful. If you have any questions, drop us a comment on Facebook or Twitter.