DerpCon CTF: Khanslist

By: ohai 4 years ago
CTF DerpCon RunCode

Khanslist presented the user with a craigslist (ish) style site.

img

Users can create accounts, post items they want to sell (with pictures!) and browse other users postings. While the file upload is enticing, there’s a gigantic “report to admin” button when viewing others posts. That’s what we want to target.

img

The report to admin feature gives us a text box where we can report a listing to the admin for not conforming to the rules of the site. When the admin views these, they are vulnerable to a XSS (yes, this is a logical leap as you can’t really see this functionality).

If we send a basic XSS payload, we can steal the admin users cookie and view the site as them.

img

We can catch the XSS with a simple python http listener.

img

And load their cookie into our browser and hit refresh. Yay, a flag. 20 Free points. derp{E451357_xSS_3v3r}

img


Comments: 0

Unmoderated: 0 Spam: 0