SpookTastic is a very easy web challenge created by leanthedev on Hack The Box. It requires basic code review and XSS to complete. Hello world, welcome to haxez where today I will be trying to complete the SpookTastic web challenge. Fortunately, this time I was able to download the source code which made things a bit easier.
SpookTastic Application Enumeration
As with all application challenges, I fired up OWASP ZAP, opened Firefox and navigate to the application. I wasn’t sure what the function of the application was. It appeared to have a store where it sold a few products. Furthermore, there was also a register email option at the bottom of the page which is where the vulnerability was. Other than that, there wasn’t much else. I ran an Ajax Spider and Active Scan but it didn’t find much.
Source Code Review
I extracted the downloaded files and opened the app.py file. After reading through the file I noticed that that the API register endpoint had an if statement in it pointing to a blacklist function. If the value submitted to the register input box didn’t pass the blacklist function then it wouldn’t work. I went hunting for the blacklist function and found that it checks to see whether the word script is included. It appeared it was some form of validation on the user input.
Exploiting SpookTastic
Please note that I was not able to complete this challenge in Firefox. For some reason, the popup box didn’t appear when submitting the correct payload. Anyway, in the code there is a function that spawns a window with the flag. I’m not 100% sure about the code that recognises the XSS but that is something I will come back in my own time. Anyway, in order to solve the challenge, you need to trigger an XSS pop up without using the script tag. There are a few payloads that can do this but I used the one below.
<img src=err onerror=alert('haxez')>That created an alert and gave me the flag to solve the challenge.
SpookTastic Learnings
What’s great about the challenges where you can download the code is that you can see the protection mechanisms in place. One thing I have always struggled with is understanding how payloads bypass protection mechanisms. Everything makes much more sense once you actually see the backend code of the application. Anyway this was a fun challenge.