title: Kara Jutsu Access
date: Dec 25, 2022
tags: Writeups YogoshaChristmas_2022 Web
Difficulty: 500 points | 31 solves
Description: Well done accessing some important information! Now I heard that some kara members use the following website for a reason, can you retrieve Dr Amado cookie?
This challenge was the 4th step of the CTF. For this one, we had to find a way to get an XSS to get the bot's cookie. The website was a simple web application with a profile endpoint with a image file upload feature.
Trying to find a way to upload a
.html... files leads to nothing as the file must be a valid PNG / JPEG file. So, we need to find another feature that could be used to get it.
Looking around, it is possible to find a chat that is vulnerable to unsanitized HTML injection:
Unfortunately, the website is securised using the following CSP which allows only script to be load from the website domain.
<meta http-equiv="Content-Security-Policy" content=" script-src 'self' ; object-src 'none' ; ">
To archive the file upload explained above, we need to check 2 conditions:
Why do we need to have a valid MIME-Type? Because, if we try to load a resource with
<script src="XX"> with an invalid MIME-Type, the browser will block his loading thanks to the CORB.
What is Cross-Origin Read Blocking (CORB)?
CORB is a Browser security that aims to mitigate side-channel attacks and ensure that protect sensitive resources from been loaded on a website.
To do so, it will restrict the MIME-Type that can be loaded depending on the context. For example, for <script src=""> the MIME-Type must be:
More details here: link.
Luckily for us, files are sent back to the client using the MIME-Type
Notice the charset="ISO-8859-1" attribute which is necessary to make the exploit works.
http://184.108.40.206/index.php?name=a&email=a&subject=a&message=<script charset="ISO-8859-1" src="<IMAGE-PATH>">&subcom=#