#CTF #DerpCon #RunCode
Khanslist presented the user with a craigslist (ish) style site.
Users can create accounts, post items they want to sell (with pictures!) and browse other users postings. While the file upload is enticing, there's a gigantic "report to admin" button when viewing others posts. That's what we want to target.
The report to admin feature gives us a text box where we can report a listing to the admin for not conforming to the rules of the site. When the admin views these, they are vulnerable to a XSS (yes, this is a logical leap as you can't really see this functionality).
If we send a basic XSS payload, we can steal the admin users cookie and view the site as them.
We can catch the XSS with a simple python http listener.
And load their cookie into our browser and hit refresh. Yay, a flag. 20 Free points.