Description: On our corporate network, the only overflow is the Order of the Overflow.
Category: Web
Difficulty: Hard
Author: @AndrewFasano
Download: service/info.pac. Note competitors should only start with this file, not the IP address of the webserver.
You can build and launch the docker container with the following command. Instead of using info.pac, use service/local.pac and replace the url
variable with the IP address of your docker container.
docker build -t dc2019q:ooops ./service && docker run -it --rm -p 8080:8080 -p5000:5000 dc2019q:ooops
Spoilers below
The premise of this challenge is to leverage a bug in a proxy server to get a universal cross-site scripting bug which can then be used to access and exploit a target that would otherwise be unreachable.
- Deobfscuate provided info.pac file
- Connect to proxy with credentials described in (de)obfscuated info.pac comments
- Identify that any website containing
overflow
in the URL is blocked through info.pac comment - Explore proxy "blocked" pages. Identify they are served on all domains. Identify universal XSS
- Request unblocking of a website. View referrer link to identify requests are coming from [internal www/](internal website)
- Try to connect to the internal website, see "local connections only" error
- Request unblocking of internal website with XSS, exfiltrate page contents. Observe obvious SQL query
- Request unblocking of internal website with XSS, with malformed URL. Observe SQL error and investigate SQL injection
- Request unblocking of internal website with XSS and SQLi, identify flag table and structure
- Using UXSS and SQLi, leak flag from internal website database
- The proxy doesn't actually support HTTPs