Skip to content
0x4B1T

Bakery

This was a web-based challenge featured in the KPMG Recruitment CTF 2023.

Date : 22 Dec 2023 Friday

Hey Hackers, I forgot to capture screenshots while i was solving the challenge but i will provide as much as possible context to create the whole scenario with words. <<

Table of Content

Section titled “Table of Content”
  1. Background
  2. Recon
  3. Exploitation
  4. Conclusion

Background

Section titled “Background”

KPMG team is expert in giving useless descriptions for the challenges but still according to the description :

This is KPMG Backery

Recon

Section titled “Recon”

Nmap

By running Nmap against the server as expected there is no intersting port open just “80” and “443”.

Directory Busting - Gobuster

Nothing interesting returned bu the gobuster only the /js directory having a single file with non-juicy information.

Analysing the Application

I Tried to create a diagram so that it will be easy to imagine the application x00

visual

  • There is a Clickable “Bakery” Button.
  • A Search Box.
  • An area where our searched query will be displayed.

Bakery Button

When we click on the button it will take us to a page where two lines of code is revealed

$pattern = "/script/i";
$payload = preg_replace($pattern, '', $payload);

From the above code we can easily understand its a PHP code that is using the preg_replace function to replace the “Script” keyword blank space ’ ’.

Let’s Try to Enter the Script keyword in the Search box

Yaah Our understanding was accurate script is filtered.

Exploitation - preg_replace bypass

Section titled “Exploitation - preg_replace bypass”

As the application is filtering the “Script” keyword we will try to bypass it and execute the XSS attack.

In the Exposed code /i flag is used with the keyword that means application will filter the word in-case-sensitive in simple words making the word upper or lower will not work for us.

Test case

When I am entering any word concatenated with the “script” keyword application only filters the “script” keyword and the other word remains the same :

Example : scriptscri -> scri

I think you got the idea !!! YESS we can just create a long word having script concatenate with the half of the script itself what i mean to say is

  • script+scrip+script+t
  • So when the application filters the word it will became scriptscripscriptt (script)
  • After further analysing the application i saw that there is not even a single cookie in the application.
  • so lets retrieve cookie using the DOM.

Payload : alert(document.cookie)

There is a cookie disclosing the path of a file and upon accessing the file we got the flag.

Conclusion

Section titled “Conclusion”

In this writeup we understood how we can bypass the PHP function preg_replace() and execute the XSS attack.