diff --git a/web-security/level-10/.config b/web-security/level-10/.config deleted file mode 100644 index f599e28..0000000 --- a/web-security/level-10/.config +++ /dev/null @@ -1 +0,0 @@ -10 diff --git a/web-security/level-10/DESCRIPTION.md b/web-security/level-10/DESCRIPTION.md new file mode 100644 index 0000000..f17fc9f --- /dev/null +++ b/web-security/level-10/DESCRIPTION.md @@ -0,0 +1,7 @@ +Actual XSS exploits try to achieve something more than `alert("PWNED")`. +A very common goal is to use the ability to execute JavaScript inside a victim's browser to initiate new HTTP requests masquerading as the victim. +This can be done in a number of ways, including using JavaScript's `fetch()` function. + +This challenge implements a more complex application, and you will need to retrieve the flag out of the `admin` user's unpublished draft post. +After XSS-injecting the `admin`, you must use the injection to make an HTTP request (as the `admin` user) to enable you to read the flag. +Good luck! diff --git a/web-security/level-10/run b/web-security/level-10/run deleted file mode 120000 index 84ba55b..0000000 --- a/web-security/level-10/run +++ /dev/null @@ -1 +0,0 @@ -../run \ No newline at end of file diff --git a/web-security/level-10/server b/web-security/level-10/server new file mode 100755 index 0000000..942c062 --- /dev/null +++ b/web-security/level-10/server @@ -0,0 +1,102 @@ +#!/opt/pwn.college/python + +import tempfile +import sqlite3 +import flask +import os + +app = flask.Flask(__name__) + +class TemporaryDB: + def __init__(self): + self.db_file = tempfile.NamedTemporaryFile("x", suffix=".db") + + def execute(self, sql, parameters=()): + connection = sqlite3.connect(self.db_file.name) + connection.row_factory = sqlite3.Row + cursor = connection.cursor() + result = cursor.execute(sql, parameters) + connection.commit() + return result + +flag = open("/flag").read().strip() if os.getuid() == 0 else "pwn.college{fake_flag}" + +db = TemporaryDB() +# https://www.sqlite.org/lang_createtable.html +db.execute("""CREATE TABLE IF NOT EXISTS posts AS SELECT ? AS content, "admin" AS author, FALSE AS published""", [flag]) +db.execute("""CREATE TABLE IF NOT EXISTS users AS SELECT "admin" AS username, ? as password""", [flag]) +# https://www.sqlite.org/lang_insert.html +db.execute("""INSERT INTO users SELECT "guest" as username, "password" as password""") +db.execute("""INSERT INTO users SELECT "hacker" as username, "1337" as password""") + +@app.route("/login", methods=["POST"]) +def challenge_login(): + username = flask.request.form.get("username") + password = flask.request.form.get("password") + if not username: + flask.abort(400, "Missing `username` form parameter") + if not password: + flask.abort(400, "Missing `password` form parameter") + + # https://www.sqlite.org/lang_select.html + user = db.execute("SELECT * FROM users WHERE username = ? AND password = ?", (username, password)).fetchone() + if not user: + flask.abort(403, "Invalid username or password") + + flask.session["username"] = username + return flask.redirect("/") + +@app.route("/draft", methods=["POST"]) +def challenge_draft(): + if "username" not in flask.session: + flask.abort(403, "Log in first!") + + content = flask.request.form.get("content", "") + # https://www.sqlite.org/lang_insert.html + db.execute( + "INSERT INTO posts (content, author, published) VALUES (?, ?, ?)", + (content, flask.session.get("username"), bool(flask.request.form.get("publish"))) + ) + return flask.redirect("/") + +@app.route("/publish", methods=["GET"]) +def challenge_publish(): + if "username" not in flask.session: + flask.abort(403, "Log in first!") + + # https://www.sqlite.org/lang_update.html + db.execute("UPDATE posts SET published = TRUE WHERE author = ?", [flask.session.get("username")]) + return flask.redirect("/") + +@app.route("/", methods=["GET"]) +def challenge_get(): + page = "\nWelcome to pwnpost, now with users!
\n" + username = flask.session.get("username", None) + if username: + page += """ +
+ Post: + Publish + +

Publish your drafts!
+ """ + + for post in db.execute("SELECT * FROM posts").fetchall(): + page += f"""

Author: {post["author"]}

""" + if post["published"]: + page += post["content"] + "
\n" + else: + page += f"""(Draft post, showing first 12 characters):
{post["content"][:12]}
""" + else: + page += """ +
+ Username: + Password: + +
+ """ + + return page + "" + +app.secret_key = os.urandom(8) +app.run("challenge.localhost", 8080 if os.geteuid() else 80) diff --git a/web-security/level-10/victim b/web-security/level-10/victim new file mode 100755 index 0000000..f90926f --- /dev/null +++ b/web-security/level-10/victim @@ -0,0 +1,72 @@ +#!/opt/pwn.college/python + +import contextlib +import urllib +import time +import sys +import os + +from selenium import webdriver +from selenium.webdriver.firefox.options import Options as FirefoxOptions +from selenium.webdriver.firefox.service import Service as FirefoxService +from selenium.webdriver.common.by import By +from selenium.webdriver.support.wait import WebDriverWait +from selenium.webdriver.support import expected_conditions as EC +from selenium.common.exceptions import TimeoutException, WebDriverException + +os.environ["PATH"] = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + +@contextlib.contextmanager +def run_browser(): + options = FirefoxOptions() + options.add_argument("--headless") + + # workaround for ubuntu + if os.path.exists("/snap/bin/geckodriver"): + service = FirefoxService(executable_path="/snap/bin/geckodriver", log_path="/dev/null") + else: + service = FirefoxService(log_path="/dev/null") + driver = webdriver.Firefox(service=service, options=options) + + try: + yield driver + finally: + driver.quit() + +if len(sys.argv) <= 1: + print(f"Usage: {sys.argv[0]} URL") + sys.exit(1) + +url = sys.argv[1] +url_parsed = urllib.parse.urlparse(url) +try: + assert url_parsed.hostname == "challenge.localhost", "hostname should be 'challenge.localhost'" + assert url_parsed.port in {None, 80, 8080}, "port should be 80 or 8080" +except AssertionError as e: + print(f"Invalid URL: {e}") + sys.exit(2) + + +print("Visiting the URL!") +with run_browser() as browser: + try: + browser.get(url) + print("URL loaded...") + + print("Logging in as admin...") + login = { "username": "admin", "password": open("/flag").read().strip() if url_parsed.port != 8080 else "pwn.college{fake_flag}" } + for name, value in login.items(): + field = browser.find_element(By.NAME, name) + field.send_keys(value) + submit_field = browser.find_element(By.NAME, "submit") + submit_field.submit() + + WebDriverWait(browser, 10).until(EC.staleness_of(submit_field)) + time.sleep(3) + print("Visited! Go check if the attack worked!") + except WebDriverException as e: + if "can%E2%80%99t%20establish%20a%20connection" in str(e): + print("Connection error! Is the service running?") + else: + print(f"Failure: {e}...") + sys.exit(4) diff --git a/web-security/module.yml b/web-security/module.yml index 821fd2d..9a363e7 100644 --- a/web-security/module.yml +++ b/web-security/module.yml @@ -40,7 +40,6 @@ challenges: name: XSS 4 - id: level-10 name: XSS 5 - description: Exploit a cross site scripting vulnerability to cause a user action - id: level-11 name: SSRF 1 description: Exploit a cross site request forgery vulnerability