Well this challenge is quite interesting, it took me and Tri a lot of time to solve this.
First we will see the challenge look like this:
view-source, something interesting appear:
//process input like this
$name = filter($_POST[‘username’]);
$message = filter($_POST[‘message’]);
do the rest work
admin use chrome and use your plaintext secret to find your post
$name,$message have been filter-ed in input (and output)
$secret will be base64 encoded then saved in database.
Look at the description of the challenge: “the flag is in the http-only cookie“, so i guess this is xss challenge. Since the bot use chrome, so i was thinking about “Content Security Policy”
Let test this:
Yes, XSS Auditor (or CSP) detect XSS in our input and block it:
more…it has been blocked in source code (i guess)
The debug variable isn’t false now:
Now set the value of Username=”debug” to define it and make it true. While the debug is true, i can active XSS to force admin send me some html source.
Our payload to get this:
so we know there is a server_info.php in admin folder.
Last step: Find a admin cookie
Since the http-only flag is on, you can’t steal cookie, but you can get it from phpinfo!
when i was doing this challenge, it’s not a phpinfo() page, and we have to find it, but now it is. So all we have to do is force admin send the “/admin/server_info.php“, and get flag!