Cybertalents ctf: String highlighter
link arabic version: https://root-x.dev/blog/article/string-highlighter-walkthrough
Challenge description
- Challenge name: String Highlighter
- Level: difficult
- Challenge link: https://cybertalents.com/challenges/web/string-highlighter
- Required: We need to get to the flag and it is hidden somewhere in the clue
The beginning of the challenge
Well, start this challenge and open the link for it
It is a web application that prints the content of what the user writes in the HTML textarea and selects any color he wants and when he clicks on the new Highlighter it is displayed under the word Preview
Let’s take a look at the source code, there is nothing important, and also the js code that is there
The provided code is a JavaScript script that handles a click event on an element with the class “sub”. When the click event occurs, it retrieves the selected value from a dropdown list and the text entered in a textarea. It then combines the color and text values into a string called “stringToParse” in the format “color:text”.
After that, it sends a POST request to the current URL (empty string passed as the URL) with the data parameter “stp” set to the “stringToParse” value. The response from the server is handled in the callback function, which sets the HTML content of an element with the class “preview” to the received data.
<script type="text/javascript">
$('.sub').on('click',function(){
var color = $('select').val();
var txt = $('textarea').val();
var stringToParse = color + ':' + txt;
$.post('',{stp:stringToParse},function(data){
$('.preview').html(data);
});
});
</script>Well, let’s try some things, for example, can we add an html tag
This is good. No Filtered. The site may be vulnerable to an XSS vulnerability
Let’s try
This is good, but the problem is that we want to do RCE, but I made the converter to do RCE via XSS, but it did not work
If you tried and it worked for you, show your method and share it with us
Let’s try some other things
We want to know what technologies the site works with
Well this is good. The site works with js, html, css, php
How do you know that it works with php? I tried to enter the index.php page and it returned the home page
I tried some php tag but this response was (internal server error)
Let’s work on the index page, since this page is .php, meaning that the php tag is included, so let’s try without it.
Now it prints nothing if that works
Let’s execute some commands on the system
Looks like there is a php code check I did research on how to bypass this
I found some interesting stuff on this blog
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass
I tried a few different commands until this worked
Don’t forget to look at the blog
`` (backticks) — Same as shell_exec()
echo `whoami`;
This works fine to see where the flag
Let’s read the contents of the file
echo `cat flag_h@cked_pWn`;
nice challenge , please try this for your self
Don’t bother with flag, but think about how you can learn something new
my likedin Profile : https://www.linkedin.com/in/myelliot/
