First-blooded this challenge. The server is down, I cannot explain briefly
-
Comment in the website shows
get_perm.php
-
Another comment in the
get_perm.php
shows?remote_debug=1
. -
Using a php trick, you get a write post privilege.
-
You have write posts, submit posts to admin == definitely XSS
-
but CSP is there. img-src:*, script-src:nonce(on every refresh), and so on.
-
On
view.php
, there is a image tag with src ofPHPSESSID
. -
Challenge description says the PHPSESSID is the flag.
-
<base>
tag is blocked (returns no hack msg) -
You can upload files by
license
param, but it has the extension blacklist and image header checks. -
header can be shortened by using GIF89a header (shortest, ASCII, very nice)
-
html, htm, php, php5 extensions are blocked, css is not
-
By CSS leak, it is possible to leak each byte of the admin's PHPSESSID.
After the CTF, admin said I first-blooded with the intended solution, nice!