IFrame Parent XSS - HackTheBox Cyber Apocalypse CTF

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome back everybody to another youtube video we're still looking at the cyber apocalypse hack the box capture the flag i don't know what order to kind of say those words and they all kind of come together so let's get to it i'll hop over to my computer screen here and we'll get to the good stuff so i'm here at the interface and i want to take a look at this alien complaint form challenge uh i can take a look at the challenge information the details here the aliens found a cool new security feature called csp ooh some content security policy right and have since implemented it into their hr complaint form there are reports that any issues reported by humans are not taking into account instead deleted the human resistance has left a back door in the website that can be used to acquire sensitive information from the aliens can you find it all right so uh let's start up this instance here it will go ahead and create an ip address and port for me and i'll go ahead and download these files just as well i'll go ahead and open up a new tab or i can go visit that instance and here we are at the hr complaint form it says if you're human we don't care uh so we can specify a complaint seemingly uh i will type in the obvious complaint submit that and it says the galactic federation has processed your feedback okay so i see a link kind of a navigation up here a complaint list if i click on that does it take me there please maybe is that is that actually link yes slash list oh it is disabled okay uh i guess because i'm human and it doesn't care only localhost is allowed roger could i do like some stupid cheeky like x forwarded four thing uh let's apply a header x forwarded for let's do localhost localhoist classic only localhost is allowed um what about a little one two seven zero zero one only localhost is allowed am i exported for exported from are those different things let's try a little exported from no still not having it okay uh well you know what let's go ahead and uh get started looking at this source code here if they are going to give me a download maybe they got something worthwhile in there so that is alien complaint form i'll move into this directory i'll go ahead and extract all that and let's see we got we have the docker file again i will take a look at of course we're using node that seems to be the trend so far with these challenges um installing libraries and things that it needs app etc etc good enough what else is in here let's check out that challenge directory oh we have a bot.js file oh it's going to use puppeteer okay puppeteer is kind of like a little headless browser that can go ahead and connect to some webpages wherever you'd like uh typically often used for like cross-site scripting style capture the flag challenges or having some automated thing go check a web page so i'm gonna assume yeah okay so this this bot will go ahead and go look at the list of complaints it looks like it goes to it and it has cookies so the bot cookies are kind of what i need or the admin or whatever that checks this uh and their flag is stored in a cookie their cookie has a flag that includes the value right now it's just a placeholder but i'm sure it'll be the real flag once we get to the actual remote target but it totally ignores human entries whatever does it actually do this i'm sure it like has to still read them doesn't it if it's going to that page it'll kind of load whatever's on there what else we got database this just stores the feedback okay so someone ate my intergalactic donut man dude that's rough i know the feeling you can add a feedback if you are seemingly human it inserts it into the database and then list will get feedback i'm going to assume selects it all out okay nice and easy with sql lite what about this uh index.json file or js file sorry sqlite database feedback.db gonna listen on localhost at 1337. i think we saw that here actually in the bot it will try to navigate to localhost 1337 and that's where the cookies are set so that's super important if we are going to try and access these cookies with some cross-site scripting then it's forcing us to kind of visit through localhost and i mean our bot is going to do that so what else does this index.js do nothing what else do we have routes that's just the route for itself isn't it oh no this is this is new we get the bot we have the database if a request is made to that list endpoint where we were going if the request ip address is not localhost ah then it will send a 401 only localhost is allowed so that's what we were running into earlier otherwise it would list it okay so if we were to post to submit a request we get the complaint object from our request and then we add it with the database as we've just done and then the bot will try and go access it so it'll say okay the galactic federation has processed your feedback good enough and then it send a message whether it oh if it errors it will tell us it crashed i see otherwise we don't have any parameters in there what is this what is this called a p this does this after right get jsonp checks our query check checks our requests with an with the variable callback is that or display or concatenating on display and then it will return javascript feedback equals ah and it will send out the string of our callback executing including the feedback i'm a little confused as to how that works i might be dumbo reading this code the wrong way but that is api json p right yeah okay so that will return our feedback oh the callback looks like it's a function call oh and display is the value if it's not supplied so if callback is not supplied or display then display is what's going to run here based off of the feedback feedback is going to come from us getting the feedback and it will return that right so callback can equal it's going to run javascript is it not display is going to do something can i do like alert that alerts what if i add a 1 there but then i need to display alert one can i like am i viewing the source here this is this is still genuine content but it'll render that out right i can just use a script can i not i am weirded out right now script alert one display let me check the source code one more time on that content type application.js let feedback await feedback then we retrieve the feedback so stringify feedback that's always going to return from this database seemingly but the callback is something that i can supply so can can i do that on like list only localhost is allowed i'll never be able to do that unless i would run this like locally right if i run it locally will it work better this list thing doesn't have any notion of it though like list doesn't know what to do with that callback maybe i'm kind of getting like two in the weeds on this can i can i like run this can i do this well challenge oh npm can i run this thing can i like do this locally npm run npm start i think start uh i need to install the packages it looks like npm install oh gosh i'm not a node guy by any means i don't know what this will do getting puppeteer kind of downloading the headless chrome that it might need yeah okay how about npm start okay it's running on localhost 1337 now can i get to list yeah okay but if i were accessing lists from localhost like the bot would be what can i do is there public yeah list.html oh this calls more javascript that's in public static js list.js this will display out with the table format all the complaints and the feedback and others jsonp again oh it it does javascript with the callback url like with the callback query and it adds it to this page is that something that i can do like callback equals alert oh those are the objects though right alert one one cool i mean this isn't all that helpful it's cross-site scripting on myself how do i does that do that for every complaint though like if i were to actually add an alert one i won't i won't see this happen because the bot will go ahead and do this right now that would be accessible at list but it's already pruned and removed it so can i like let's do a 9000 or something let's go back and add a image source equals this thing on error equals uh window.location i guess can be http localhost 9000 and that so if the bot were to see this they would be carried hopefully to localhost 9000 maybe would that work let me try that back on that list style thing so callback equals alert me triggering it automatically that doesn't do anything is it supposed to do anything uh oh no no no this is just gonna automatically run javascript in this setup right jsonp that is not a function yeah can you do the display yes oh okay so that called back i am uh now it triggered so if i were to listen one more time and if the bot were to go ahead and do this kind of on its own this would be back at the home page let's add a javascript syntax there and then add alert note display if i do that does it go ahead and do that no how is it going to end up triggering that cross-site scripting if i do a script uh oh wait a second could i use an iframe to trigger it like if i had an iframe that would reach back out to localhost on itself that's whack and then go to list and add callback to equal.javascript oh gosh window.location um that needs to be url encoded let's uh let's url encode that real quick i'm going to import url lib url lib.parse.quote equals http localhost 9000. [Laughter] all right so we got that magic string uh do it no oh but it's in an iframe if it's in an iframe [Music] what happens can i do it for like the the above the object above it no do i need to like specifically tell it the link there um if we were to supply a complaint that would use an iframe to call back out to itself accessing list with the callback object in there uh how is that wrong wait a second do i have a stinking crap no i didn't even inc i didn't encode this with quotes how about that i just added a single quote surrounding it so the 3d should now still have single quotes are we already inside we're not inside single quotes are we how about back ticks no oh but hang on maybe i need to maybe i need to do the parent again because i'm stuck and i'm stuck inside the iframe no back to url encoded single quotes maybe please nothing how oh wait we need the display to like run it yeah i completely forgot about the sinking the stupid function that we needed to call it's like oh that's not a function yeah i know it's not a function um so now that gets a callback can i add in a cookie c is going to equal ending quote add document.cookie shoot shoot i wasn't listening i wasn't i wasn't ready i wasn't ready send it again uh i'm off stuff up what did i do wrong http slash class h localhost 9000 ending ending single quote adding document.cookie that sends it to c equals but can i have like javascript evaluate something inside that string uh i wanted a dollar sign in there did i did i not put a dollar sign oh gosh this is this is getting hard to read and see uh so let's try the dollar sign to specify like a variable to be included in the string so if i submit that document cookie no why did it not add it in why did that not work when we would add it in oh the plus sign need to be stupid and uh does the plus sign need to be quoted that makes sense no why though quote plus is a thing no why doesn't that evaluate when we use it in the dollar sign because the dollar sign syntax is supposed to allow me to dollar sign document.cookie unless should it be like windowed dot cookie is that a thing i don't think that's a thing no and it's still not actually evaluating it what if we tried to like base64 encode it i should probably set this on like tech k so that it can keep receiving requests that doesn't you are does that need to be url encoded maybe that does document.cookie it's still the same stinking thing is that javascript variable inside of string how to interpolate variables template literals i'm literally doing that oh no they have to be in the back ticks are you serious that's that's how that works almost okay i'm truly sorry so will this payload work remotely um let me take note of this let me take note of this um like payload here what's the name of this challenge alien complaint forum let's let's make a stupid like notes dot md um and then this payload is kind of what we need but we'll have to call back to ourselves on ngrok so let's listen on 9000 again and then let's do an ngrok http okay so now that ngrok is cruising um we can modify the payload not going to port 9000 and going to localhost but going to that ip address and then we want to give that to the actual target so let's start listening which we are slap in this payload which uses an iframe to call out to localhost list invoke cross-site scripting with the callback function or little query there use window.parent to escape out of the iframe and drive the original browser over to our ngrok with the dollar sign syntax with templating apparently in the backtick string and the display to do it so if i hit go here we get the call back and there is our flaggy waggy all right this one took a lot out of me i'm not gonna lie uh what what nice so does that make sense to you like it makes sense to me but it's not like intuitive we saw that list was the field that we could access locally and i the reason that we were able to track it down was because we were able to like spin this thing up locally and just test that um and it's cross-site scripting just a little like nested so there's that and the display function i guess was something that would genuinely call it is that legitimately a javascript thing no is that just defined yeah it's it's a it's a function call now i understand display was the function that would just like run that out on the page holy goodness holy cow that's our payload though that's it that's enough that's enough of me yapping i didn't mean to kind of carry on with that anymore than i needed to because i know that was painful to watch uh it was painful to do guys so hey let's go ahead and grab that flag let's go ahead and submit that thing and let's call it a day you think let's uh alien complaint form dude dunzo okay nice that was rough but hey maybe a learning thing i will never forget now that you absolutely have to use the back ticks for that kind of string if you are going to do that like little template interpolation thing with variables i'll never get that out of my mind anymore i say that now but i'm sure in the future when i do a video on something like this i'll fail again thank you so so much for watching everybody thanks for tuning in this video i hope you had some fun um i didn't mean to be struggling as much as i did but hopefully that still makes it an entertaining video and maybe you get to learn something new out of it just as well so i think that's it uh we've been going for a while but i i hope that there was some quality content in that thank you so so much for watching again as always thank you to hack the box for letting me crank on some of these and get some content and video out for you but uh hey thanks please do those youtube algorithm things like the video comment subscribe hit the bell other numbers and statements thank you again and again everybody i love you i'll see you next video bye now [Music] we [Music]

Info

Channel: John Hammond

Views: 61,136

Rating: undefined out of 5

Keywords: xss, cross site scripting, cross-site scripting

Id: NACzUg2z4aY

Channel Id: undefined

Length: 32min 2sec (1922 seconds)

Published: Mon May 17 2021