 Hey, what's up everybody John Hammond coming back at you with a couple more videos for the junior CTF capture flag competition I'm recording this one now Separate from what I had been recording the other videos. It's been a few hours. I managed to solve a few more challenges. So up on the school board I'm back in the top 10 tied with the open to all teams. That's kind of nice and ahead of One of our rival teams. So that's that's good stuff and good news Um Anyway, I want to showcase some of the new challenges that I solved and here we'll move along I want to show off the hackers blog. It's a 500 point web challenge Um, so the description the description here the challenge prompt is hey stranger. I need your help Um, blah blah blah. I'm trying to hack this blogger's website Uh, but I can't believe you're so good at take a look and you've got to be using the vpn to do this so the vpn is a another challenge That I don't have a video yet for but it's not very hard to showcase. I'll go ahead and uh down and get there Junior cpf it's in the team And then we have all of our Things so you can just sudo open vpn to get the vpn running So once the vpn has a connection set up, um Now we should be able to actually access that web page So I just use open vpn to do that now. I can access these pages. So here's the hacker's blog and it's all in russian So, uh, uh, I do not speak russian Nor can I read the language or anything like that. So this is kind of a difficult challenge for me to solve. Um, so Uh, big credit and kudos goes out to some of their friends and some of their individuals I talked to this challenge, uh through with and stuff like that So I looked at some of these pages. I try to look around to see what all these things were Looks like a bunch of posts. I'm assuming because of his blog thing So I can control you and view the source. Um I don't see a whole lot of interesting things in here initially I'm seeing how they're stretching the background image. This all looks like regular html So nothing particularly interesting there Some of the russian text which I can translate if I needed to And I see password here, so I thought that was interesting I selected that and translated it which you can do too. It's just a google search to google translator Um, but it's just for like, okay people using default passwords on routers and stuff like that. So a red herring And other posts and other stuff I noticed each of these posts have a specific id So if you go to one of them, it's id equals five or id equals zero up in the URL like the get message you pass through it So if you try and give it an id number that doesn't actually exist like zero or 99 It just redirects you back to the home page. So that's nothing really interesting there But I kept Viewing the source. I saw an interesting thing here and that you can comment on these on these You can give it like a name I'm assuming a name based off this and a text. So I thought that was interesting I didn't initially play with it a whole lot until I went back to it later on But I'll I'll try and talk more about my thought process when I was going through it because I looked through all these challenges and stuff All these posts all these messages that people have been posting Um, and at the very end of the page that I was on and as well as the home page It looks like all of them because of the footer they have this html company that says secret admin panel And this is very clearly base 64 with the equal sign there the trill equal sign So I copied that and just took a look at it Uh We get a prompt that we can look at So I'd echoed that into base 64 to decode it and it gave us the ip address with a new page admin 64 641 blah blah blah so I copied that And went to the page and there's some russian text orders. I don't know what it was so I I google translated it Google translate Okay, so it says invalid username and password access is denied so I didn't actually at any point enter a username and a password. So I was like what the heck Uh, how do I how do I get into this web page? I tried passing around like a username variables and password variables in like the get HTTP variables Uh, I even tried doing it with curl. I would just try and send like Post data with a dash d flag and send username and password that way. Uh, that didn't get me anywhere um I even tried to find I saw those numbers were weird. So I tried like an admin dot php page, which is a thing Um, I tried google translating this too But I couldn't get any actual output of it when I had googled this Like I did just google that uh text itself I think earlier. I saw ended up seeing like Some github thing that was defining this is the error message for like, um, Authentication not found or like wrong bad username and password stuff I saw in github for php stuff. You define the other language, but again, that was just a a red herring So what I eventually ended up doing Was testing around with those, um input boxes those messages you could post those comments You could leave on some of the some of the posts here. Um, so what you come to find out is once you leave a message here um If you were to post it the message that you receive Is actually, uh, it tells you like, hey, please wait for an admin to review your message So this russian text here if you check check that out in the translator Just please wait until an administrator approve your messages. So that gets me thinking. Okay Um, can I do some like cross site scripting stuff for xss? cross site scripting, um So if the admin views the the message if the admin looks out I wonder if can I steal like the admins cookie and that kind of setup To be able to see if the admin cookie has any valuable information Like a flag or credentials that I might be able to give to the admin page Because I apparently need to be able to give credentials to the admin page So, uh, that was the idea the plan of attack and I'll showcase it to you and what I ended up doing here because I have a cookie catcher set up Which um, if you don't have one set up for yourself You should for some ctf challenges and I'll show you how I have set have mine set up Um, but it's on a domain that I own. It's on a website that I own just called like my name Like johnhammon.org And there's nothing on the page. It literally just says oh, hello there. Um, but it is a php page that Excuse me that it grabs your cookie and stores it in another following page called cookies.html So it grabs an ip address and the cookie and I tried to get date and time in a website referrer But I actually think I just left those blank Um, so there's a bunch of things you can scroll through as you can see how people Or bots like I try to look at my domain and do interesting things. I saw I have some interesting results like Like pizza imperial and I think there's another imperial one Yeah burger imperial so those are those are funny And there are a lot of these results from different ip addresses So you'll see interesting things I guess when you set up a cookie catcher like that to see bots scanning your Your your domain. Anyway, I want to show you how this is done. So I'll Move over to that box. This is just a go daddy domain that I own It's a regular web server. So I have the uh index.php, which actually is the cookie catcher What it does is it grabs a http variable Um The cookie in this case it tries to grab an ip address from the server Um php variables here and refer and stuff like that and it opens up that cookies html file and it writes on it With a it depends on a cookie And all that stuff all in html and I close it and then it just displays on the screen. Hello there So it doesn't do much of anything and the commented lines aren't necessary. See I don't have the date I just have a period here. So those aren't really necessary. All we're interested in the cookie and that's just how we get it I just pass it in as a get variable when I do my cross-site scripting, but that's how it's done That's how I I I receive it and it's added to a log that cookies that html file So when it comes to the actual injection that I have I take a note of here in my cookie catch dot javascript. So, um that I'll showcase it for you here the syntax that I actually end up doing for the javascript cross-site scripting is uh Just a regular dog me location like to redirect them and I give them I pass in the html get request variable Cookie in this case and I have it escape their actual The document cookie So if an administrator or a bot or an automated administrator or whatever the case may be for the challenge purposes goes to this web page and they are All of a sudden injected with my cross-site scripting Javascript and I redirect them to my domain and have them pass in their cookie. I can see it. I can log it Now I saw in the telegram chat in the in the conversations for the ctf In like the irc channel equivalent, um the hint that they released for this hacker's blog challenge is that redirection is not allowed They've they blocked redirection. So this document location syntax and javascript wouldn't work for me So I The little bit of research I talked with some friends and we could get this idea and solution So you actually create a new image and set up the source for it and that should be able to Get and he just encodes it the actual document cookie the same way. I think I do with escape I don't know the difference between those two functions admittedly Um, but this is what we ended up rolling with if redirection is not allowed So this is our xss or javascript We can inject and place in our comment because assuming that it will actually read the html and interpret it In the wrong way. So they get redirected to our web page and our cookie catcher Which uh, you can set up very easily if you wanted to again with this code or um, just googling cookie catchers And knowing how to set them up Just going through some guides and some tutorials. So they're they're cool. They're interesting I think yeah, this is even the exact code that I stole and copied All right, so let's do it. I want to showcase this for you guys. So Let's say like my name is john and I want to post in this xss payload. I can go ahead and submit this Oh, did I get an error? Probably because it wants me to wait some time Okay, yeah, I tried over to comment within a 10 minute delay so Because I posted that one earlier It's not going to really let me do it or showcase it to you But I still have the cookie and everything saved. Um, so What happens is you would go ahead and submit That payload of the actual JavaScript xss payload And you would get the same response. Hey, please wait for an administrator to actually look at this And then you monitor and keep track of your log Which I suppose you could use mine even at the very very bottom I have this new cookie that I saw From a random IP address and an interesting website But I have this this one was new earlier today when I saw this challenge and it has a login and a password for the cookie So awesome, uh, we can just add these and create these now We can go ahead and Create these for the challenge because if it's just going to that admin page that we wanted Was it six four one six four one? I don't remember What it was Okay, thankfully, I still have it We can go to this page And with our cookie we can go ahead and set these up in the cookie manager For firefox We'll search for this domain. Okay, it looks like I don't actually have one. So I'll have to add a new one So we can say new cookie For I guess the password is the name of it, right? We'll set the value in here domain should be This guy And the path can be anywhere for the entire domain And that will set up another cookie Which is they said what they wanted login equals admin. So Login content can be admin again for this domain path of any type We can save that now. Ideally, we will get our flag when we refresh this or something and we don't Fail So it doesn't seem to work well enough for me when I'm using the cookie manager one I don't know if I can get the domain or whatever the thing right So, um, I actually just went ahead and did it with curl and that seems to work just fine for us. So if I Just curl that address And I pass in a cookie variable now we can use what we're given just straight up real easily Just copy it. Oh, I didn't mean to invoke firebug there and paste it in Now and reload the page. Hey, we get a flag Uh, one true hackers elite xss cross-site scripting. So that's it Um, using our cookie catcher and just passing in the cookie that we get from the admin that visits the page Um, we do get our flag with taking advantage of that admin page We saw earlier and taking advantage of the cross-site scripting that we that we found in the comments So that's it. That's how you solve that challenge. It was a good challenge I honestly used to struggle with it for a long that while because uh, I was can I wasn't convinced there was xss I wasn't convinced there was cross-site scripting in the comments And I didn't I really didn't know what to do with that admin page because I couldn't get a login I couldn't give it credentials at all Uh, at least seemingly um But we uh worked through a little bit more and we ended up getting it. So awesome. Awesome Thanks for watching guys. Hope you enjoyed this one Pretty uh pretty nifty 500 points here and uh, I'll try and showcase some other cool challenges in a future video. So see you soon