Grey Cat CTF 2024 (web challs)

Table of content

  • Baby Web (Flask session cookie)

  • Markdown Parser (XSS in markdown)

  • Greyctf Survey (parseInt issues)

  • Beautiful Styles (CSS Injection)

  • Fearless Concurrency

  • No SQL Injection

Baby Web (Flask session cookie)

The web app is written in Flask. Check session cookie:

flask-unsign --decode --cookie 'eyJpc19hZG1pbiI6ZmFsc2V9.ZiNV-w.Umcx64Jf6IYqXHUDpmtp3GZPSYs'

The secret key is given in plaintext in the source code. Flip is_admin to True and forge Flask session cookie:

View source code:

Visit /flag route and get flag.

Markdown Parser (XSS in markdown)

XSS injection point:

Test XSS in the language field:

This works since the payload is rendered as the following HTML code:

See if we can trigger without using any attribute:

It is possible to setal admin’s cookie since httpOnly flag is set to false:

Use webhook:

https://webhook.site/

Upgrade the payload for stealing admin’s cookie:

This payload forces the web app to send a GET request to our webhook.

Inject payload and get flag.

Greyctf Survey (parseInt issues)

Soft spot:

vote has must have type ‘number’, and it is between -1 and 1. Our goal is to let:

The problem is, parseInt() is designed to parse string instead of number. When you feed numbers into it, it can trigger weird behavior:

https://priyankuhazarika.hashnode.dev/weird-javascript-the-strange-behaviour-of-parseintpriyankuhazarika.hashnode.dev

So basically parseInt() converts function argument to string since we provided a number. For something like 0.09, it becomes "0.09", and it is evaluated as 0 since only the first character gets parsed. But if we provide something with many zeros like 0.00000009, it becomes "9e-8", so evaluated to 9. That breaks the assumption of the checks.

Beautiful Styles (CSS injection)

Fearless Concurrency

No SQL Injection

PreviousStep 9: Shared codeNextpwn.college

Last updated