Admin Secrets

Web [100 pts]

When we first visit the page, we are given an area to create post and “report” to the Admin. Trying the classic XSS test,

<script>alert(1)</script>

gives us a popup window that we can base our target on.

Our next goal is to steal some cookies from the admin to retrieve more information. In this challenge, I used ngrok and a local php server containing the following code for steal.php:

Step 1

Using this code and ngrok, we attempt to retrieve the admins cookie shown in the following:

After pressing ‘report to admin’ , we see that we indeed retrieved something in our request:

We get an idea that the admin is visiting our site and giving us their information based on the referrer:

Step 2

To obtain the admin console, located in the page source, we have to do a similar process as Step 1. But, triggering our script before the page loads will cut off the rest of the page source after our script. So we have to wait until the page fully loads and then retrieve the entire HTML. I encoded this twice in base64 for readability.

Looking at our response, we see that we are given a twice base64 encoded string, once decoded using CyberChef, we were able to obtain the admin’s page source:

We observe that an ajax GET request is being made to the endpoint /admin_flag. When we try to access it using curl, it response “Only the administrator can access this endpoint.”

So in our next step, we have to get the administrator to visit that endpoint, send us the information, store the information, and redirect it back to us.

Step 3

The implementation of the logic in Step 2 will look something like this, using XHR:

After sending this payload, we notice that our response contains an extra step that prevents us from accessing the endpoint:

Step 4

There is a type of filtering that prevents script tags, quotes, and parenthesis.

Using the OWASP XSS Filter bypass link, we were able to encode and manipulate our payload to bypass this filter.

Resource: OWASP XSS filter bypassesOur modified payload will be:

Finally, using the above payload, we are able to see the flag in our response:

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s