Gpnctf 2024


Solved by : thewhiteh4t

  • when we input html into admin form input then the following flow is executed in back-end :
/admin -> set flag cookie -> visit site -> fill our input in /chal input -> screenshot after delay
  • flow in /chal route :
CSP is set -> script.js is added to head tag -> our input is added
  • flow in /script.js route :
if the flag cookie matches -> fake flag is replaced with actual flag -> response is sent
  • so the actual flag is stored inside script.js
  • CSP :
default-src 'none'; script-src 'self' 'unsafe-inline';
  • cannot load js url like /script.js in src because connect-src is not present so default-src fallback is used which is none so request is blocked
  • thanks to unsafe-inline we can execute js scripts
  • after looking into default-src bypass I found the following on hacktricks :

<form action="/script.js" id="plz">
    <button type="submit"></button>

Published on : 02 Jun 2024