Post

Flag Bearer - ECSC2023

Posted
By 2 min read

Punkty: 119 Rozwiązań: 41

The admin knows the flag but won’t tell me.
https://flag-bearer.ecsc23.hack.cert.pl/

Reconnaissance

Starting point looks like this: Alt text And as we see we have two subpages login and register I run sqlmap on them but nothing special was founded.

So I tried to create account: Alt text And we see that server returns us a cookie:

1

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiazFrOSJ9.Rvmw2sxvYmGfuEAP0b1eN1IB_ITbK_cGEKuzZJoVIXM

Which is accodring to CyberChef a JWT: Alt text

Unfortunately we cannot recreate JWT because we need to know a secret which was used to create this token. So keep digging.

Notes

Let’s take a look of response website. Is clear html, with some subpages. Interesting one is /notes: notes

After view-source we can see that, when we create our note by adding text in content input, executes this javascript:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

function uuidv4() {
  return ([1e7]+-1e3+-4e3+-8e3+-1e11).replace(/[018]/g, c =>
    (c ^ crypto.getRandomValues(new Uint8Array(1))[0] & 15 >> c / 4).toString(16)
  );
}

let noteForm = document.getElementById("addnote");
noteForm.addEventListener("submit", (e) => {
  e.preventDefault();

  let name = uuidv4()
  let content = document.getElementById("content").value;

  const r = fetch("/notes", {
    method: "POST",
    body: JSON.stringify({
      name: name,
      content: content,
    }),
    headers: {
      "Content-type": "application/json; charset=UTF-8"
    }
  }).then((data) => {
    location.reload();
  })
  
});

Let’s check this in practice: Alt text And on /notes site looks like this: Alt text

We have:

  1. name which is generated by uuidv4 function
  2. content which is our text
  3. secret which was generated some way by server to share notes.

Note secret

Secret:

1

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJuYW1lIjoiMmEwZTMzN2EtZDJlMS00YzhkLWE5NDEtYjFlNmM2ODI4ZTNmIn0.q9MLFE_3wpAgsjCbjbluIBu_OJJA2otyFPZxoDcPF2k

JWT Decode:

1
2
3

{
    "name": "2a0e337a-d2e1-4c8d-a941-b1e6c6828e3f"
}

As we can see secret from created note is similar to our session cookie. So let’s try create a:

1
2
3

{
    "name": "admin"
}

By modifying a form that we send when create our note, step by step:

  1. In burpe we intercept our POST request: Alt text
  2. Change name into admin and forward request: Alt text
  3. Get a secret, this will be our session cookie: Alt text
  4. Let’s check is this valid JWT: Alt text

Final

Now we change our session cookie and tries to acces the admin notes. In this case I’ll use Postman:

Alt text

And we have a flag ;)

ecsc23, web
ctf ecsc23
This post is licensed under CC BY 4.0 by the author.