Recently Updated
December 2nd: Alert Man
Category
Web
Hint
Can you alert(‘XSS’)?
Challenge
weblink: http://adctf2014.katsudon.org/dat/AlSDUDdTMssNKajr/alert_man.html
This leads to a website where user can enter text in a box which is printed to the screen in a list.
Source
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<title>alert man</title>
</head>
<body>
<h1>alert man</h1>
<form id="form">
<input type="text" id="text" />
<input type="submit" value="tweet" />
</form>
<p>Your tweet:</p>
<ul id="tweets"></ul>
<script>
function appendTweet(tweet) {
t = tweet.replace(/['"]/g, '');
li = document.createElement('li');
li.innerHTML = t;
document.getElementById('tweets').appendChild(li);
};
appendTweet('here is your tweet!');
_='var :=["
HVHD>B>D91LI
01Z
DS
7$LVDB0*
89V0D&6Z4I4*H3#NDB31&49&1
5&2&W9&3&9
49
2
8
32
W5
??5
6
1
3W
78
0D$S5HC7*4
B
B3
3*674DE7
98SCY
3
BSC
FYD#DBOPQ@X969963O6667@
4A782/0C@/85QOM71Q%X5
3@TE1 4
1 3 7 5H0833O4@DA5/39
E%G84GDGC 2N83%@
7C
78XA%X%TDG381%G3T4081PP
447/6M0!9!70!29!1!4C27%PQ13"];eval(function (UJ2J3J4J5J6){while(3--){if(<{U=U[ 6]]( new RegExp( 4]+3+ 4], 5]),<KK;return UK( 0],10,49, 3][ 2]]( 1])));\\x500N53_0x3268x
C76
:[
2
2
B435C5I
56NM9D
84","
E
1
!9#D6V0$
7%2&
*
E.6/2:_0x2915<4[3])>0
EM?7W8
@9TFG4H0I
9J,K;} L.
2M8N7O3P0QCS$TAU1V
W5X6Y
E$ZI.';for(Y in $='ZYXWVUTSQPONMLKJIHGA@?><:/.*&%$#!
')with(_.split($[Y]))_=join(pop());eval(_);
document.getElementById('form').onsubmit = function() {
tweet = document.getElementById('text').value;
appendTweet(tweet);
return false;
};
</script>
</body>
</html>
Solution
It appears we need to inject an alert(‘XSS’) statement.
We can trigger a simple alert by entering
1
<img src=/ onerror=alert(1)>
Quotes are filtered, but we can use escape characters:
1
<img src=/ onerror=alert('XSS')>
A new tweet will appear in the list:
1
the flag is: ADCTF_I_4M_4l3Rt_M4n
Flag
ADCTF_I_4M_4l3Rt_M4n