DerpCon CTF: Khanslist

#CTF #DerpCon #RunCode

Khanslist presented the user with a craigslist (ish) style site.

Users can create accounts, post items they want to sell (with pictures!) and browse other users postings. While the file upload is enticing, there's a gigantic "report to admin" button when viewing others posts. That's what we want to target.

The report to admin feature gives us a text box where we can report a listing to the admin for not conforming to the rules of the site. When the admin views these, they are vulnerable to a XSS (yes, this is a logical leap as you can't really see this functionality).

If we send a basic XSS payload, we can steal the admin users cookie and view the site as them.

We can catch the XSS with a simple python http listener.

And load their cookie into our browser and hit refresh. Yay, a flag. 20 Free points.

No Comments Yet