Web [250 pts]
Description: Check out our new sticky note website!
We are given two endpoints for this challenge. I found an unintended solution for this challenge so I will be discussing how happened..
After creating an account on :50020 and linking it with :50039, we are able to create notes and report to admin.
First, the reporting feature is common for XSS and CSRF, so I wanted to see if I could steal some information from the admin. So using this payload:
We were able to send it to the admin and have them visit our site.
I originally wanted to read their HTML just to see what it looked like, but base64 decoding our response twice reveals the admin dashboard + the flag: