Nullcon HackIM CTF 2013 – Web 100/200/400 Write ups

Web 100

Web 100 challenge was like a Stack Overflow clone:


The page had a link to getflag.php. When trying to access it we received the following message:

Your IP is not authorised to use this function.

That made us rembember a blog post named Anatomy of an Attack: How I Hacked StackOverflow, in which its author detailed how he has gained administrative access to the Stack Overflow site almost by error.

The key for this attack is to add an X-Forwarded-For: header to our HTTP requests with value That will make the website to erroneously think that we are accessing it from the localhost, thus gaining administrative access to the site.

After adding the X-Forwarded-For: header to our HTTP request for getflag.php, we got the flag, which was: DholuBholuareTWINS.



Web 200

This web application allowed us to post messages with a Title and a Description.
There was a table showing the Title and the Creator for every post in the webapp; the first post was created by admin and its Title was “flag”, so our quest is probably to retrieve its Description.
There also was a “View” column which included a link (only in posts that were created by us) that allowed us to view our own posts.


We just modified the post ID in a “View” link using Firebug in order to visualize the contents of the post with ID = 1, as shown in the screenshot above.

An alert() box appeared showing the flag for this challenge: ChutkiisVERYcute.



Web 400

After registering, this webapp offered us a simple interface to send messages to the administrator, who “checks his mails regularly”.


This web page also had a “Become Admin” page (set_admin.php), which allows the administrator to grant administrative privileges to any user of the system, and a “Get Flag” page (flag.php), which shows us the text “Only Admin user can see the flag.

Looks like we need to exploit a Cross-Site Request Forgery vulnerability by sending a specially crafted message to the administrator, which should force the administrator’s browser to give admin privileges to our user account.

But the form in the set_admin.php page is protected against CSRF with a token:

        <form action="set_admin.php" method="GET">
			<label for="pass">User</label> <input type="text" class="loginInput" AUTOCOMPLETE="off" size="20" name="user"><br />
			<input type="hidden" name="csrftoken" value="8e7d0684d55256968b06b33c02649d42" />
                        <p class="submit"><input type="submit" value="Set" name="Set"></p>

So an straight CSRF won’t work because of the secret anti-CSRF token; but we can easily bypass it if the web site is vulnerable to XSS.

It turns out that the web site was vulnerable to XSS in the “Subject” field of the messages we send to the administrator. So we can send him an XSS payload in the “Subject” field of our message, which will grab the “csrftoken” value from a form and then force the admin’s browser to give administrative permissions to our user account.

So this is the XSS payload we’ve included in the “Subject” field of a message (our username in this case was “pepe“):

<img src="" onerror="javascript:var all_inputs = document.getElementsByTagName('input'); var token = '';for(var i = 0; i < all_inputs.length; i++){if (all_inputs[i].name == 'csrftoken'){token = all_inputs[i].value;}}var iframe = document.createElement('iframe');iframe.src = '' + token + '&Set=Set';document.body.appendChild(iframe);"/>

After waiting a couple of minutes we visited the flag.php page again and the flag was there: BheemlikesLADDUSalot.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s