the flag is set as an environment variable, and this flag is rendered in /panel if you have an administrator’s session.
in the end, to get the flag, we have to log in with the admin account. But we can’t get admin’s account in this challenge.
let’s think. The admin visits the challenge server every 60 seconds, logs in, connects to /panel, and stays there for 5 seconds. if XSS vulnerability occurs in /panel, we can hijack the flag when admin visits
the panel.pug file has the same snippet as above. Add the received agents to the td tag one by one. since there is no separate HTML Entity processing here, we will be able to insert the XSS payload into the value of hostname or platform or arch.
but we know that the CSP of this service is applied as above. since script-src is set to self, if the file upload of this challenge service is possible, we will be able to bypass CSP by uploading the poc file and using it.
I tried uploading the poc.js file as above, but I could see that a strange 400 error occurred.
so i decided to analyze the file upload logic. Uploading files was done using the multer module.
1 2 3 4
if (!buffer.match(/52494646[a-z0-9]{8}57415645/g)) { fs.unlinkSync(filepath); return res.sendStatus(400); }
i was able to confirm that the above regular expression exists in the file upload router /agents/upload/:identifier/:token.
after reading the contents of the uploaded file and converting it to a hex value, it is checked whether there is a value matching the above regular expression in this value.
this regular expression is the logic to check the signature code of the wav file. This is because the wav file has a signature code called RIFF/WAVE as shown above.
as above, when I inserted the signature code of the wav file and uploaded the file, I could see that it worked normally.