CTF-BR! – w2 – alert man (Day 2)

w2 – alert man (Day 2)

Posted 26 de dezembro de 2014

> ADCTF > ADCTF 2014 > w2 - alert man (Day 2)

Can you alert(‘XSS’)?

alert man

Solução

Well , a gente precisa dar um alert(“XSS”) pra conseguir a flag . o código-fonte da página é esse :

<title>alert man</title>


    
    <title>alert man</title>


    <h1>alert man</h1>
    <form id="form">
        
        
    </form>
    <p>Your tweet:</p>
    <ul id="tweets"></ul>
    
function appendTweet(tweet) {
    t = tweet.replace(/['"]/g, '');
    li = document.createElement('li');
    li.innerHTML = t;
    document.getElementById('tweets').appendChild(li);
};
appendTweet('here is your tweet!');
_='var :=["HVHD>B>D91LI01ZDS7$LVDB0*89V0D&6Z4I4*H3#NDB31&49&15&2&W9&3&9492832W5??5613W780D$S5HC7*4BB33*674DE798SCY3BSCFYD#DBOPQ@X969963O6667@4A782/0C@/85QOM71Q%X53@TE141375H0833O4@DA5/39E%G84GDGC2N83%@7C78XA%X%TDG381%G3T4081PP447/6M0!9!70!29!1!4C27%PQ13"];eval(function (UJ2J3J4J5J6){while(3--){if(<{U=U[	6]]( new RegExp(	4]+3+	4],	5]),<KK;return UK(	0],10,49,	3][	2]](	1])));\\x500N53_0x3268xC76	:[22B435C5I56NM9D84","E1!9#D6V0$7%2&*E.6/2:_0x29150EM?7W8@9TFG4H0I9J,K;} L.2M8N7O3P0QCS$TAU1VW5X6YE$ZI.';for(Y in $='ZYXWVUTSQPONMLKJIHGA@?><:/.*&%$#!	')with(_.split($[Y]))_=join(pop());eval(_);
document.getElementById('form').onsubmit = function() {
    tweet = document.getElementById('text').value;
    appendTweet(tweet);
    return false;
};

<title>alert man</title>

<h1>alert man</h1>

</form>

<p>Your tweet:</p>

function appendTweet(tweet) {

t = tweet.replace(/['"]/g, '');

li = document.createElement('li');

li.innerHTML = t;

document.getElementById('tweets').appendChild(li);

};

appendTweet('here is your tweet!');

_='var :=["HVHD>B>D91LI01ZDS7$LVDB0*89V0D&6Z4I4*H3#NDB31&49&15&2&W9&3&9492832W5??5613W780D$S5HC7*4BB33*674DE798SCY3BSCFYD#DBOPQ@X969963O6667@4A782/0C@/85QOM71Q%X53@TE141375H0833O4@DA5/39E%G84GDGC2N83%@7C78XA%X%TDG381%G3T4081PP447/6M0!9!70!29!1!4C27%PQ13"];eval(function (UJ2J3J4J5J6){while(3--){if(<{U=U[ 6]]( new RegExp( 4]+3+ 4], 5]),<KK;return UK( 0],10,49, 3][ 2]]( 1])));\\x500N53_0x3268xC76 :[22B435C5I56NM9D84","E1!9#D6V0$7%2&*E.6/2:_0x29150EM?7W8@9TFG4H0I9J,K;} L.2M8N7O3P0QCS$TAU1VW5X6YE$ZI.';for(Y in $='ZYXWVUTSQPONMLKJIHGA@?><:/.*&%$#! ')with(_.split($[Y]))_=join(pop());eval(_);

document.getElementById('form').onsubmit = function() {

tweet = document.getElementById('text').value;

appendTweet(tweet);

return false;

};

Eu não tava muito afim de testar um bucado de payload , então fui entender como ele me retornaria flag .
Tem esse variável maluca na linha 23 , no final dela ela chama um eval(_) . Indo no console e rodando esse eval() ele retorna :

function (text){if(!f)a(text);if(text==='XSS'){if(!f){f=1;window.setTimeout(function(){f=0},100);if(li)li.innerHTML=t}else{f=0;cs=[5010175210,5010175222,5010175227,5010175166,5010175224,5010175218,5010175231,5010175225,5010175166,5010175223,5010175213,5010175140,5010175166,5010175199,5010175194,5010175197,5010175178,5010175192,5010175169,5010175191,5010175169,5010175146,5010175187,5010175169,5010175146,5010175218,5010175149,5010175180,5010175210,5010175169,5010175187,5010175146,5010175216];t='';for(i=0;i<cs.length;i++){t+=String.fromCharCode(cs[i]^0x123456789+123456789)}appendTweet('<b>'+t+'</b>')}}else{f=0}}

function (text){if(!f)a(text);if(text==='XSS'){if(!f){f=1;window.setTimeout(function(){f=0},100);if(li)li.innerHTML=t}else{f=0;cs=[5010175210,5010175222,5010175227,5010175166,5010175224,5010175218,5010175231,5010175225,5010175166,5010175223,5010175213,5010175140,5010175166,5010175199,5010175194,5010175197,5010175178,5010175192,5010175169,5010175191,5010175169,5010175146,5010175187,5010175169,5010175146,5010175218,5010175149,5010175180,5010175210,5010175169,5010175187,5010175146,5010175216];t='';for(i=0;i<cs.length;i++){t+=String.fromCharCode(cs[i]^0x123456789+123456789)}appendTweet('<b>'+t+'</b>')}}else{f=0}}

Se a gente passar no http://jsbeautifier.org/ ele fica mais legível , assim :

function(text) {
    if (!f) a(text);
    if (text === 'XSS') {
        if (!f) {
            f = 1;
            window.setTimeout(function() {
                f = 0
            }, 100);
            if (li) li.innerHTML = t
        } else {
            f = 0;
            cs = [5010175210, 5010175222, 5010175227, 5010175166, 5010175224, 5010175218, 5010175231, 5010175225, 5010175166, 5010175223, 5010175213, 5010175140, 5010175166, 5010175199, 5010175194, 5010175197, 5010175178, 5010175192, 5010175169, 5010175191, 5010175169, 5010175146, 5010175187, 5010175169, 5010175146, 5010175218, 5010175149, 5010175180, 5010175210, 5010175169, 5010175187, 5010175146, 5010175216];
            t = '';
            for (i = 0; i < cs.length; i++) {
                t += String.fromCharCode(cs[i] ^ 0x123456789 + 123456789)
            }
            appendTweet('<b>' + t + '</b>')
        }
    } else {
        f = 0
    }
}

function(text) {

if (!f) a(text);

if (text === 'XSS') {

if (!f) {

f = 1;

window.setTimeout(function() {

f = 0

}, 100);

if (li) li.innerHTML = t

} else {

f = 0;

cs = [5010175210, 5010175222, 5010175227, 5010175166, 5010175224, 5010175218, 5010175231, 5010175225, 5010175166, 5010175223, 5010175213, 5010175140, 5010175166, 5010175199, 5010175194, 5010175197, 5010175178, 5010175192, 5010175169, 5010175191, 5010175169, 5010175146, 5010175187, 5010175169, 5010175146, 5010175218, 5010175149, 5010175180, 5010175210, 5010175169, 5010175187, 5010175146, 5010175216];

t = '';

for (i = 0; i < cs.length; i++) {

t += String.fromCharCode(cs[i] ^ 0x123456789 + 123456789)

}

appendTweet('<b>' + t + '</b>')

}

} else {

f = 0

}

Tem um bucado de ifs aí pra checar se você conseguiu o alert() , depois ele pega os números armazenados na var “cs” e faz umas operações e te retorna a flag . Só rodar o que estiver dentro do else da linha 10 no console e pegar o valor da variável “t” . Assim :

Flag

ADCTF_I_4M_4l3Rt_M4n

Criado por

Hu3BR

g3ol4d0 geolado