templated exfil-cookie

pwncollege · Dec 25, 2024 · 6fa978c · 6fa978c
1 parent b394a9e
commit 6fa978c
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 14 deletions.
diff --git a/web-security/pwnshop.yml b/web-security/pwnshop.yml
@@ -38,3 +38,5 @@ challenges:
   challenge: XSSPublishGet
 - id: xss-rf-post
   challenge: XSSPublishPost
+- id: xss-exfil-cookie
+  challenge: XSSExfilCookie
diff --git a/web-security/xss-exfil-cookie/server b/web-security/xss-exfil-cookie/server
@@ -1,12 +1,17 @@
 #!/opt/pwn.college/python
 
-import tempfile
-import sqlite3
 import flask
 import os
 
 app = flask.Flask(__name__)
 
+
+flag = open("/flag").read().strip() if os.geteuid() == 0 else "pwn.college{fake_flag}"
+
+import sqlite3
+import tempfile
+
+
 class TemporaryDB:
     def __init__(self):
         self.db_file = tempfile.NamedTemporaryFile("x", suffix=".db")
@@ -19,16 +24,17 @@ class TemporaryDB:
         connection.commit()
         return result
 
-flag = open("/flag").read().strip() if os.geteuid() == 0 else "pwn.college{fake_flag}"
 
 db = TemporaryDB()
+
 # https://www.sqlite.org/lang_createtable.html
 db.execute("""CREATE TABLE posts AS SELECT ? AS content, "admin" AS author, FALSE AS published""", [flag])
 db.execute("""CREATE TABLE users AS SELECT "admin" AS username, ? as password""", [flag[-20:]])
 # https://www.sqlite.org/lang_insert.html
 db.execute("""INSERT INTO users SELECT "guest" as username, "password" as password""")
 db.execute("""INSERT INTO users SELECT "hacker" as username, "1337" as password""")
 
+
 @app.route("/login", methods=["POST"])
 def challenge_login():
     username = flask.request.form.get("username")
@@ -44,9 +50,10 @@ def challenge_login():
         flask.abort(403, "Invalid username or password")
 
     response = flask.redirect("/")
-    response.set_cookie('auth', username+"|"+password)
+    response.set_cookie("auth", username + "|" + password)
     return response
 
+
 @app.route("/draft", methods=["POST"])
 def challenge_draft():
     username, password = flask.request.cookies.get("auth", "|").split("|")
@@ -56,15 +63,15 @@ def challenge_draft():
 
     if username == "admin":
         flask.abort(400, "pwnpost no longer supports admin posting due to rampant flag disclosure")
-
     content = flask.request.form.get("content", "")
     # https://www.sqlite.org/lang_insert.html
     db.execute(
         "INSERT INTO posts (content, author, published) VALUES (?, ?, ?)",
-        (content, username, bool(flask.request.form.get("publish")))
+        (content, username, bool(flask.request.form.get("publish"))),
     )
     return flask.redirect("/")
 
+
 @app.route("/publish", methods=["POST"])
 def challenge_publish():
     username, password = flask.request.cookies.get("auth", "|").split("|")
@@ -74,11 +81,11 @@ def challenge_publish():
 
     if username == "admin":
         flask.abort(400, "pwnpost no longer supports admin posting due to rampant flag disclosure")
-
     # https://www.sqlite.org/lang_update.html
     db.execute("UPDATE posts SET published = TRUE WHERE author = ?", [username])
     return flask.redirect("/")
 
+
 @app.route("/", methods=["GET"])
 def challenge_get():
     page = "<html><body>\nWelcome to pwnpost, now with users!<hr>\n"
@@ -91,7 +98,8 @@ def challenge_get():
               <input type=checkbox name=publish>Publish
               <input type=submit value=Save>
             </form><br>
-            <form action=publish method=post><input type=submit value="Publish All Drafts"></form><hr>
+            <form action=publish method=post><input type=submit value="Publish All Drafts"></form>
+            <hr>
         """
 
         for post in db.execute("SELECT * FROM posts").fetchall():
@@ -113,6 +121,7 @@ def challenge_get():
 
     return page + "</body></html>"
 
+
 app.secret_key = os.urandom(8)
-app.config['SERVER_NAME'] = f"challenge.localhost:80"
+app.config["SERVER_NAME"] = f"challenge.localhost:80"
 app.run("challenge.localhost", 80)
diff --git a/web-security/xss-exfil-cookie/victim b/web-security/xss-exfil-cookie/victim
@@ -25,20 +25,19 @@ service = FirefoxService(log_path="/dev/null")
 browser = webdriver.Firefox(service=service, options=options)
 atexit.register(browser.quit)
 
-open_ports = { s.laddr.port for s in psutil.net_connections(kind="inet") if s.status == 'LISTEN' }
+open_ports = {s.laddr.port for s in psutil.net_connections(kind="inet") if s.status == "LISTEN"}
 if 80 not in open_ports:
     print("Service doesn't seem to be running?")
     sys.exit(1)
+
 challenge_url = "http://challenge.localhost:80/"
-flag = open("/flag").read().strip()
 
 print(f"Visiting {challenge_url}")
 browser.get(challenge_url)
 
-print("Logging in as admin...")
 browser.find_element(By.NAME, "username").send_keys("admin")
-browser.find_element(By.NAME, "password").send_keys(flag[-20:])
+browser.find_element(By.NAME, "password").send_keys(open("/flag").read().strip()[-20:])
 browser.find_element(By.NAME, "submit").submit()
 
-time.sleep(5)
+time.sleep(2)
 print("Visited! Go check if the attack worked!")