Cloudflare CDN CSP - XSS Bypass / HackTheBox Cyber Apocalypse CTF

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
how's it going ladies and gentlemen welcome back to another youtube video on the cyber apocalypse hack the box capture the flag ctf words and letters let's get to it i'm gonna hop over to the computer screen here where i'm checking out the interface and let's move into this the galactic times challenge i see that one here uh let's go ahead and check out that challenge info the galactic times is a monthly alien newspaper that focuses on news from around the galaxy this month issue is focused on a human's race and contains some very controversial articles oh the newspaper reportedly constrained excuse me contains a restricted endpoint with some alien secrets can you find a way to view the forbidden pages yeah let's do it so uh let's start up this instance go right ahead uh it will give me this little ip address and port that i can open up in a new tab here we'll let that thing spin up and i'll go ahead and download these files good enough and i will go ahead and move that downloaded file for web the galactic times into this directory i'll go ahead and unzip it here into apocalypse since it does seem to go ahead and create like its own folder for me and i don't want to keep like is like i don't know making my path way too long that you can't see i was noticing that in the previous videos like man sometimes it's really kind of hard to uh read what i'm typing there because the path was just way too long with all the folders and subdirectories so it's another node application i guess great it looks like i can struggle with some more javascript and uh nothing else is all that exciting here not a location for the flag anything so it must be something else as part of the code we'll hop into the challenge directory i see another bot.js so we are going to be using puppeteer or the application we use puppeteer to have a headless browser or kind of uh some mini chrome go and view web pages for us and they'll kind of act as the admin or the bot that will check these pages again often used in cross-site scripting capture the flag challenges so that's probably what we're up against here looks like there's a function that will go to the list page again on localhost and that's about it it will purge data supposedly from this but looks like that's all that that does for us uh let's take a look at that index.js and see what this is doing looks like again we have routes and database and paths set up oh we have a content security policy set up with some directives here yeah so okay so we can kind of see what this content security policy is uh incorporating and using looks like there are notions of the self and the unsafe eval and the cloudflare cdn or the content delivery thing and it uses pug okay for a templating engine or to view pages and just goes ahead and listens all right puts us into public what's in this database here oh these are just feedback things i guess we should probably go look at the application honestly i was digging through the source code right i still don't exactly know what we're going to be up against here what's in public we got static images js is there more javascript that i should be checking out yeah okay so we can flash information back in and out with messages good enough and submit in the form here we post to the api submit with feedback similarly in the data that we submit and that's it okay so let's take a look at this actual application now i will refresh the page good and the galactic times here we are our world is controlled by elite humans i like this meme here me getting ready to act normal at work and he's like iron ironing a person oh my goodness this is alex jones [Laughter] holy crap i want this to be a real website this needs to be a real website that's gold hex of the month ooh what the heck is in the hecks of the month holy crap i want to see this um let me just open up sublime text one more time i just want to uh i want to know what this is i'm sorry i know it's completely useless and not relative to the video whatsoever but let's see what this thing is thanks hack the box i appreciate you truer words had never been spoken what are we doing issues two memes edition oh that was actually a link send us feedback for this issue of the galactic times are there just emoticons that i can send sub submit the galactic federation has processed your feedback great there's a feedback list link ah and only localhost is allowed classic just like the alien complaint form so uh hey you know what let's let's build this thing kind of just as we did as we did previously to mess with it um npm start why what what does it need a package file was it supposed to have one what if i just grab the one from the alien complaint form okay huh oh no it's totally in challenge i'm just dumb that's all i'm just an idiot i don't i hate node so much i wish i knew node i wish i knew more javascript stuff but what are you gonna do learn i'm just kidding i'm just kidding i'm just kidding everything that i stand for let's uh let's roll this baby up on localhost 127.001 yeah all right now we're accessing it locally let's go and submit feedback i'll do a little please sub nope now let's uh check out our feedback list and it's already gone though cause the bot i'm sure going back to our code we'll uh go take a gander at this thing that is what happens right we post to it and there's got to be some logic that actually figures that out there's bootstrap um views list.pug this must be the list page oh it displays it all out with the templating engine feedback la la la and there's that main.js which is everything that we did what how is our bot knowing to go to it is that triggered am i just not piecing that together purge data that clearly happened but i'm sorry i'm just trying to understand that doesn't call the bot oh no these are just the routes nothing oh no no no there it is right there there it is right there uh once you submit it adds it and then the bot and then the bot then it just okay then it goes and determines it so if the bond is going to check it there do i have any semblance of cross-site scripting yeah let's go ahead and start up into the netcat listener we'll do a what the heck let's go to home directory you know what let's get to dev show just in case i end up doing anything weird let's listen on 9000 yeah and back in our feedback submit let's do an image source go nowhere let's do that on error to a um yeah javascript can run now window dot window.location equals http localhost 9000 submit and it would do it would that not do it what would that do let me check out the network tab oh i should add a uh single quote in there so that knows to like actually go there now when i submit this it goes ahead and adds it all but going to that feedback list the bot is already gone so it's displaying it all can i tell the bot not to purge it just so i can see if um let me let me restart node because i want to see if that cross-side scripting does actually trigger so we'll go back to list we'll submit feedback and image source on error go to my localhost submit that and now it won't do it oh okay so the image tag is there it rendered but i have this error in my console refuse to execute inline event handler because it violates the content security policy directive uh script source self unsafe eval cloudflare blah blah blah what does that csp look like it should be displayed in the headers yeah so we got this big long thing i'm going to copy all of this and content security policy so if you are aware of the content security policy it's kind of this like thing it's kind of the security mitigation some security technique it's basically uh determining whether what sort of things your browser will trust and like what it will use what it's willing to execute what it's willing to understand uh so it could potentially stop cross-site scripting attacks right like trying to determine and like how you could steal a cookie whether it blocks the image tag like i've done or script etc uh iframes more and more there is a lot of resources and understanding about this google has a pretty cool article out about it and they actually kind of break down everything that these elements do yeah oh hang on they have the cdn in here for example if you have an application that loads all of its resources from a content delivery network say cdn example.net and you know you don't need any framed contents or plugin then your policy might looks like something like this and they have they there they showcase some cdx symbols okay okay okay kind of cool so can we do anything with that cdn thing or any of those parts of of this it's displayed in here it's displayed right up here the script source unsafe eval feels weird um processor i'm googling around to learn i think there's i've heard of like evaluator tools yeah yeah oh google has it csp evaluator i think so you could just slap in this csp evaluator allows developers and security experts to check if a content security policy serves as a strong mitigation against cross-site scripting attacks it assists with the process of reviewing these policies which is usually a manual task and helps identify subtle csp bypasses which undermine the value of a policy csp evaluator checks are based large in a large scale study blah blah blah what do we got in here oh this thing turned red up at the top evaluated csp is seen by a browser supporting that cross-site scripting why is this one red self can be problematic if you host jsonp angular or user uploaded files we don't have any user uploaded files we've done the jsonp in the previous um like alien complaint video unsafe eval allows the execution of code injected into dom api such as eval and cdnjscloudfair.com is known to host angular libraries which allow to bypass this csp oh and that's a high severity finding okay so if we want to actually execute our javascript code what the heck can i do with that cdn cloud flare xss like cross-site scripting i don't want like learning out of it yeah bypassing cloudflare waff how i bypassed xss bypass ah where am i that's not something that i want i don't think is there like a bypass payload bypassing the cloudflare waff but it's not a web application firewall that i'm up against right now i need like a cross-site scripting thing access payloads on twitter cloudflare bypass does this legit work here i go on twitter cool i like the comments cool that's not gonna work is it i feel like you would need to use the stuff that cloudflare would supply let me try it just just for like just for the giggles no did that error in the console as well it's like nah yeah that doesn't want to hit it like it's rendering if i view the source it rendered the image and it would run it if the csp were not present but because it is is there something on like bypass or payload all the things let's see if there is one for crossfit scripting xss xss and angular csp bypass yeah yeah yeah check the csp on csp evaluator nice uh wall arm rhinator i don't think that's what i i feel like this would have to come oh that's using xss hunter i feel like this would have to come from the specific cloudflare right here cloudflare csp bypass there's a hat tricks thing oh there's a hat tricks thing here's a medium article explanation of csp okay using some of the cloudflare or the csp evaluators that we've already seen tell me about cloudflare though okay what about you hack tricks what do you got for me meta tags these are the directives again kind of explanation unsafe inline and unsafe eval those are the ones that we've seen you have a working payload with that setup does this actually do stuff i'm just kind of want to see what this base64 does it's just a is this just an alert document.domain yeah okay would that run like um get me back to localhost let's submit some feedback no that's still it still needs the reference to cloudflare oh here we go here we go here we go third party endpoints in an unsafe eval with script source from cdnjs cloudflare.com on save eval that is exactly what we're working with load a vulnerable version of angular and execute arbitrary javascript yeah is that the syntax that we need let's try that so that will pull from cloudflare to get its angular copy and then climbs to run an eval statement and pop an alert see if that's triggers it triggers oh okay so that that's kind of all we need right now it's not a cookie that we need to retrieve though where is the flag legit oh flag no that's just like is this get alien did we ever see that we never went into views at least i never did okay so it's in a local it's in a file that only let's go to alien only localhost is allowed so we need to read this page with our cross-site scripting and return that back out to us because localhost will be able to read that just fine right if i uh go back to localhost and go to alien the flag will be right there okay so our cross-site scripting payload let's save some notes here we need to drive this all the way this must be our our injection point we need to drive this all the way to that page and extract data out of it how do they do that how do they use fastify oh no no they use fetch they fastify and fetch would probably work right what does hack tricks do there's this payload but they had a they had a list of other payloads so i want to see oh geez uh cloudflare i want to see oh they use fetch right here they they also use fetch i feel like i can just grab that um and then i need to fetch that alien page yeah but how do i carve the data out of that fetch javascript get uh response using fetch json is there a way to just get the text itself introduction to fetch fetch fetch i see like the then syntax like for using uh javascript like promises i want it as text though okay cool it does it this this looks like it's head it's how it's done so i don't want all these new lines return function text this console log is what it would display out but i want to like get the data from it can i do that uh is there like a way to like match like a regular expression or like find a string javascript regular expression oh javascript regex match yeah oh it'll just match and that's it okay match um can you find just the flag format prefix please and let's just alert that out i think that's okay so i am gonna go make sure that i still have this bot off i'm gonna restart it and do that one more time so when i get back to the page i can submit this and then let's see if it alerts chtb okay um so that's the start of the flag but now i need to get the rest out uh oh geez how many escape things do i need dot star just like that do i i need to escape those because these are regular expressions don't i let's go back let's submit this now we're gonna have a lot of alert messages http htb and then did it just not oh that like is still present so that must have failed somehow like that like i that know if that star is going to get in the way javascript regex is like weird uh go http hdb and it still fails what is wrong how does that go match alert close all those promises did i like break javascript on this page now no those are still running uh do you guys have examples of this oh you can just specify like like a regex pattern right um can i just do that like in this let's do const regex const regex p i guess we'll use pattern in case that happens to be a word that's already stolen and that needs to forward slashes so chtb that right then pass in that regex how about that will that work back to you chdb chdb and then it fails again what is wrong with that oh regexp gosh dang it okay feedback submit go go back chdb chdb and it fails that needs these backticks or these backslashes to escape it out i'm sorry i know this is agonizing for you javascript homeboys we're almost we're almost home feedback list chdbchtb did it get a third no it just failed again seemingly do i seriously need two of these that sketches me out though i'm gonna zoom out so i can actually view these pages back and forth it doesn't do it can you alert the entire page like will that just break everything i don't know if it will problem is getting that whole page back to me no that fails too what why does that fail how about that chubby ch2b and then it still doesn't but oh do i double quotes how the heck what this is rough why why this original one did work right that one two and now that doesn't work anymore did i seriously bork this let me go back and purge this database um wait i think i just end up restarting it and that's kind of all i need to do right yeah so submit this again chtb good it happens twice for whatever reason but now matching anything following chtb that should give me a response please yeah okay that works all the way to the very end of the line so i just need now to bring that to localhost 9000 with c equals that thing added in yeah so let's restart submit feedback let's go check and make sure this is listening which it is we submit this go and why doesn't it call back that fails document.location equals http 1270 or not what part of this is wrong alert worked i don't understand what part of this is wrong i seriously don't do i have an extra i do i was like do i have an extra parenthesis in there i do okay okay okay yeah yeah yeah yeah yeah okay okay we're we're at the end game this is good now we just need to use the exact same payload but oh god okay it was just redirecting uh we need ngrok http and my face is in the way but we need to go to 9000 yeah okay so that gave me an ip address or a public domain name so now if i go to that location instead and use that regex to grab everything after the flag format we can go to the original page on the actual remote target oh and the testing string was still coming back so now let's submit this and the bot should retrieve it which it did and we have our flag oh my gosh that one was agonizing i don't know i need to do i need to get significantly better at javascript or something or figure out or i mean i should realistically probably script these rather than piecemeal it but this syntax is weird as that makes it here let's do html i guess um we use the cloudflare csp bypass to be able to execute javascript and then we run an eval so that we can fetch that alien page as the bot and then as we retrieve it we carve it out with regular expressions and a text match uh and then drive it to our endpoint that we're hosting with ngrok so that's that that's the cross-site scripting technique after minutes practically an hour uh i was struggling with this struggling with this one but there's our flag we finally pulled it back and i think it's really time for us to wrap this one up i i i i swear to god i hope we're done with cross-site scripting we did it that one is done the galactic times struggle bus holy cow thanks for bearing with me on fetch and javascript and that that was a whirlwind for me well hey i hope you guys had fun i hope there was a semblance of learning value that you could extract out of this one i know there was a this one was pretty long-winded as i don't know as they all seem to be i don't know how i'm getting back i'm getting worse at youtube but thank you so so much for tuning in and checking out this video um i hope it was a lot of fun i hope you enjoyed it and uh as always thank you and credit and kudos goes to hack the box for letting me keep hacking on this stuff but man it's uh putting my head through fan blades over here so thank you thank you thank you for watching everybody please do use youtube algorithm things uh like the video comment subscribe you know the drill i super appreciate it i love you i'll see you in the next video take care everybody [Music] with [Music] [Music]
Info
Channel: John Hammond
Views: 41,845
Rating: undefined out of 5
Keywords:
Id: uU_tvQPCBUo
Channel Id: undefined
Length: 40min 48sec (2448 seconds)
Published: Tue May 25 2021
Related Videos
Nodejs Nunjucks Template Injection - HackTheBox Cyber Apocalypse CTF
John Hammond
20K
$2 MILLION DOLLARS STOLEN in Bitcoin/Ethereum - JScript Malware Analysis
John Hammond
135K
IFrame Parent XSS - HackTheBox Cyber Apocalypse CTF
John Hammond
67K
TryHackMe! Overpass - Authentication Bypass
John Hammond
135K
XML Object Exfiltration - HackTheBox Cyber Apocalypse CTF "E. Tree"
John Hammond
39K
Is THIS a VIRUS? Finding a Remcos RAT - Malware Analysis
John Hammond
354K
Using CDN to Bypass CSP - Cursed Secret Party [HackTheBoo CTF 2022]
0xdf
1.2K
TryHackMe! Bypassing Upload Filters & DirtySock
John Hammond
67K
I BUILT the Worlds Biggest Gaming TV
Linus Tech Tips
1.5M
How One Line of Code Almost Blew Up the Internet
Kevin Fang
1.7M
SQLite Blind SQL Injection - HackTheBox Cyber Apocalypse CTF
John Hammond
69K
Gitlab LFI to RCE - HackTheBox "Laboratory"
John Hammond
113K
Laravel CVE / PHP Deserialization - "Larablog" HTB Business CTF
John Hammond
42K
Blind MongoDB NoSQL Injection - HackTheBox Cyber Apocalypse CTF
John Hammond
45K
How do hackers hide themselves? - staying anonymous online
Grant Collins
1.2M
Kanlı-Canlı XSS Challenge'ı
Mehmet INCE
5.6K
The Beginner's Guide to Blind XSS (Cross-Site Scripting)
NahamSec
29K
Cryptocoin Miner - Unpeeling Lemon Duck Malware
John Hammond
94K
Phishing Document "Invitation" - HackTheBox Cyber Apocalypse CTF
John Hammond
34K
HackTheBox CA CTF - Using Snyk to Find & Fix Vulnerabilities
John Hammond
32K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.