# QUICK START - Flag 1 Remote Exploit ## Step-by-Step Guide ### Option 1: Using webhook.site (Easiest) 1. **Get a webhook URL**: - Go to https://webhook.site - Copy your unique URL (looks like: `https://webhook.site/abc-123-def`) 2. **Run the exploit**: ```bash python exploit_remote.py ``` 3. **Enter your webhook URL** when prompted 4. **Choose a payload** (try option 1 first: `mxss1`) 5. **Check webhook.site** - you should see an incoming request with the cookie 6. **Decode the JWT**: ```bash python decode_jwt.py ``` ### Option 2: Using ngrok (If you want your own server) 1. **Terminal 1 - Start webhook server**: ```bash python webhook_server.py 8080 ``` 2. **Terminal 2 - Start ngrok**: ```bash ngrok http 8080 ``` 3. **Copy the ngrok HTTPS URL** (e.g., `https://abc123.ngrok.io`) 4. **Terminal 3 - Run exploit**: ```bash python exploit_remote.py ``` - Enter your ngrok URL when prompted - Choose a payload 5. **Watch Terminal 1** for the incoming cookie (it will auto-decode!) ### Option 3: Try all payloads If the first payload doesn't work: ```bash python exploit_remote.py # Choose option 10 "all" ``` This will try all bypass techniques sequentially. ## What's Happening? 1. **Registration**: Script creates an account on the remote server 2. **Payload**: Sends a malicious message to admin with XSS payload 3. **Bot Trigger**: Triggers the admin bot to visit `/inbox` 4. **Bot Sequence**: - Bot logs in as admin - Bot visits `/flag` → flag stored in JWT cookie - Bot visits `/inbox` → sees your malicious message - DOMPurify tries to sanitize but we bypass it - XSS executes → redirects to your webhook with cookie 5. **Exfiltration**: Your webhook receives the session cookie 6. **Decode**: Extract the flag from the JWT ## Expected Result Your webhook will receive a request like: ``` GET /?flag=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIiwiaWF0IjoxNzM2NDY... ``` The JWT payload contains: ```json { "sub": "1", "iat": 1736460000, "exp": 1736467200, "flag": "uoftctf{...}" } ``` ## Troubleshooting ### No request received? 1. **Check webhook URL** - Make sure it's HTTPS and publicly accessible 2. **Try different payload** - Some might work better than others 3. **Wait longer** - Bot takes 10-15 seconds to complete 4. **Check for errors** - Look at the script output ### Bot trigger failed? 1. **URL must be localhost** - The bot only accepts `http://127.0.0.1:5000/*` URLs 2. **Server might be rate-limiting** - Wait a bit between attempts 3. **Try registering a new account** - In case your account is blocked ### Payload blocked? The challenge uses DOMPurify 3.3.1 which is very robust. You might need: - A specific mXSS technique - Multiple attempts with different payloads - Research latest DOMPurify bypasses ## Files Created - `exploit_remote.py` - Main exploit script for remote server - `webhook_server.py` - Local server to receive cookies (optional) - `decode_jwt.py` - Decode JWT tokens to extract flag - `QUICKSTART.md` - This guide ## Commands Cheat Sheet ```bash # Quick exploit with webhook.site python exploit_remote.py # Run local webhook server python webhook_server.py # In another terminal, expose it with ngrok ngrok http 8080 # Decode a captured JWT python decode_jwt.py eyJhbGci... # Try all payloads python exploit_remote.py # Choose: 10 ``` ## Success Indicators ✅ "Successfully registered!" - Account created ✅ "Message sent!" - Payload delivered to admin ✅ "Bot triggered successfully!" - Bot is running ✅ Request appears in webhook - Exfiltration worked ✅ Flag extracted from JWT - You got it! Good luck! 🚩