NorthKorea
A Korean People's Army strategic command portal where field scouts file reports and the Marshal personally endorses each one with a state authorization code.
The Scenario
You are a foreign operative working a low-privilege scout account on the KPA Strategic Command portal (issued credentials: admin / admin). Every field report you file is reviewed in person by Marshal Kim, and his endorsement carries an AUTHORIZATION_CODE that never leaves his screen. You cannot read it directly. Recover that code.
Lab Intel
Synopsis
Reflected XSS into a nonce'd script defeats a strict CSP. The /review/:id page interpolates the report callsign raw into an existing nonce-authorized inline script as a JavaScript string literal. Breaking out of the string runs arbitrary JS under the page nonce even though new script tags are blocked. The player keylogs the Puppeteer Marshal bot as it types the endorsement (the flag) and beacons each keystroke to their own VPN-IP listener.
Architecture
A medium client-side lab on two containers, an nginx gateway and a Node/Express portal that also runs an in-container headless-Chromium admin bot. Scouts file field reports, the Marshal bot reviews each pending report and types an endorsement one character per second. The endorsement text is never persisted, so the flag can only be captured live through the XSS keylogger.
Who It's For
Players comfortable with web requests and basic JavaScript who want to practise the difference between HTML injection and JS-expression injection under CSP. Familiarity with a keylogger payload and standing up a simple listener helps.
Skills You'll Practice
- Distinguishing CSP nonce protection (HTML injection) from in-script JS injection
- Crafting a string-breakout payload that keeps the surrounding script parseable
- Keylogging a headless admin bot and reassembling the captured input
- Exfiltrating to a VPN-reachable listener (labs allow lab-to-VPN traffic)
What You'll Gain
- A repeatable technique for bypassing strict nonce CSP through an existing trusted script
- The understanding that a nonce authorizes a whole script element, not the statements inside it
- The server-side fix, JSON-encoding untrusted values before placing them in a script context