[anudeep's space]

secure-email-service

Mar 31, 20252 min read

Challenge

LinkDifficultyStatus
https://play.picoctf.org/practice/challenge/496?category=1&originalEvent=74&page=1Static BadgeStatic Badge

Note

Description

S/MIME means secure email, right?

Additional details will be available after launching your challenge instance.

Solution

Note

I have not read the solution to this challenge yet. I will be reading https://web.archive.org/web/20250331144934/https://corgi.rip/posts/secure-email-service/, once I finishing writing my thoughts here.

I have not solved this challenge but was able to identify most of the attack chain except for the actual exploit that could make that attack chain a success😂.

Launching the challenge reveals a login screen. The username is given after you launch the challenge instance. And as mentioned above in the login page, the password can be obtained by visiting /api/password endpoint.

When we login we go to the inbox page and see an email from the admin. We can reply to this email, compose a new email and everything works like a standard email application.

One key difference that I was not able to achieve was send a html email. Because the email we received from admin was html email.

The email content is wrapped inside a SMIME format which is basically determining if the email is signed, html or plain text. When it’s of type html the html content is rendered as is in the email page.

Looking at the source code for the application we find that only admin email are signed so only those can be valid html emails. And our emails are not signed because we do not have a keypair to sign them.

There is an endpoint which we can invoke which launches a puppeteer instance, open the application login as admin reply to emails. While this is happening we store the flag in localstorage of that browser instance.

The attack chain looks like below:

  1. Craft an email somehow to fool smime parser into thickening that it’s signed. So that we can render html content.
  2. In the html content inject a script to read the flag from localstorage and send it to our server via an api request.
  3. Send the above email.
  4. Now invoke the puppeteer endpoint so that the email is opened on the server with admin credentials.
  5. Now when the email opens the step2 script is executed and is sent to us.

Site Map

Graph View

Backlinks