DerpCon CTF: Khanslist2

By: ohai 4 years ago
CTF DerpCon RunCode

For Khanslist2, we’ll follow the exact same steps as Khanslist but once we are admin, we see that we can’t view the flag as “this admin”…

img

But notice that there are more options on the left, check out the Users tab.

img

If we inspect the source, we get all kinds of good info. The admin can promote/demote users.

img

We see our user id and this “safe_ip” value. So what we want to do is get the admin to submit this form for us, promoting us to admin and setting our safe_ip appropriately. Since we have the XSS, we can combine that with a little CSRF magic and get the admin to promote us!

img

So we’ll serve that up and call it with an iframe in our XSS.

img

in action!

img

Then log in as our user and head to /admin for the flag derp{XSS_2_B_ADMIN_d3RpM13573R}

img


Comments: 0

Unmoderated: 0 Spam: 0