TJCTF 2018: Stupid Blog
|TJCTF 2018||Stupid Blog||Web||130||22 solves|
I created this blog site, but it doesn’t do much. I did hide a flag on here though. Maybe you can convince the admin user to give it to you?
Stupid Blog was a stored XSS challenge, where you manage to bypass the CSP using a JPEG file.
Find the XSS
Once, on the website you have two possibilities, register and login. So I create and account and log me in.
After being logged in, three more possibilities, upload a profile picture (JPEG/PNG), set a post on your “blog” and report a user. Because I had a similar challenge in the EasyCTF (Fumblr), I immediately thought of an XSS.
So I tested a XSS in the post, it was well injected, but not executed… The fault of the very strict CSP.
content-security-policy: default-src 'self'
Bypass the CSP
I replace it with my payload:
The payload will force the admin to GET his blog page and send the entire content to http://drstache.proxy.beeceptor.com.
Next, we need to use the XSS to import our polyglot JPEG as a script, to do so, I post
<script charset="ISO-8859-1" src="ggg/pfp"></script> on my blog.
The last step is to report my user to the admin, and wait for him to go on my profile.
After a few minutes a request was sent to my beeceptor by the admin \o7
It contains the whole admin page, the flag was in.