The m0leCon CTF Teaser took place this weekend. We played only very lightly, as most of the team was busy organizing the HackTM CTF 2023 Finals in Timișoara. I solved this challenge only, while taking a break from exam preparation :P

Description

I wrote a simple website with some linux command examples, I hope you’ll like it!

Author: @Giotino

Approach

When first looking at a web challenge, I like to first explore its functionality without looking at the source code. Just to see what it does. And get some ideas what may be interesting to dig in further.

I manage a few websites and domains with the hosting provider active24.cz, one time I decided to take a closer look at their security.

After a while of fiddling around I noticed a bunch of postMessages flowing between support.active24.cz and active24.cz origins every time the page was loaded, it was the live support chat system they were using. The main page was iframing https://support.active24.cz/scripts/generateWidget.php and then included a script to communicate with it, handing over information like user ID, if the user is logged in etc. and receiving events like if the chat is opened, active or so.

In the summer of 2020, I found a not-so-interesting but impactful XSS on the DuckDuckGo search engine. I looked into the security of their Cloud Save feature, which lets you have your preferences (colour scheme, styles etc.) saved and then restored in a privacy-friendly way using a passphrase. The passphrase gets hashed and is used as an API key to access them.

I enumerated all the possible options you can save in the preferences object and found two interesting ones. It soon turned out they were indeed vulnerable! You saved a simple DOM XSS payload via Cloud Save and when you tried to restore you got XSSed. And the best thing is… you got XSSed permanently because the malicious options were saved to your cookies and executed every time you opened the page.