For Khanslist2, we’ll follow the exact same steps as Khanslist but once we are admin, we see that we can’t view the flag as “this admin”…
But notice that there are more options on the left, check out the Users tab.
If we inspect the source, we get all kinds of good info. The admin can promote/demote users.
We see our user id and this “safe_ip” value. So what we want to do is get the admin to submit this form for us, promoting us to admin and setting our safe_ip appropriately. Since we have the XSS, we can combine that with a little CSRF magic and get the admin to promote us!
So we’ll serve that up and call it with an iframe in our XSS.
in action!
Then log in as our user and head to /admin for the flag derp{XSS_2_B_ADMIN_d3RpM13573R}
