#CLGT-Meepwn
Well this challenge is quite interesting, it took me and Tri a lot of time to solve this.
First we will see the challenge look like this:
view-source, something interesting appear:
//process input like this
$name = filter($_POST[‘username’]);
$message = filter($_POST[‘message’]);
$secret =base64_encode($_POST[‘secret’]);
…
do the rest workadmin use chrome and use your plaintext secret to find your post
$name,$message have been filter-ed in input (and output)
$secret will be base64 encoded then saved in database.
Look at the description of the challenge: “the flag is in the http-only cookie“, so i guess this is xss challenge. Since the bot use chrome, so i was thinking about “Content Security Policy”
Let test this:
Yes, XSS Auditor (or CSP) detect XSS in our input and block it:
more…it has been blocked in source code (i guess)
The debug variable isn’t false now:
Now set the value of Username=”debug” to define it and make it true. While the debug is true, i can active XSS to force admin send me some html source.
Our payload to get this:
/admin/show.php:
so we know there is a server_info.php in admin folder.
Last step: Find a admin cookie
Since the http-only flag is on, you can’t steal cookie, but you can get it from phpinfo!
when i was doing this challenge, it’s not a phpinfo() page, and we have to find it, but now it is. So all we have to do is force admin send the “/admin/server_info.php“, and get flag!
Happy hacking!
Tsu BlogS ٩(^‿^)۶ 
I think the username has to “debug”, in chrome id is treated as variable in javascript. Thus, we can make debug as true.
LikeLiked by 1 person
Yes that what I did, sorry for not mention it 🙂 thank you
LikeLiked by 1 person
Hi, just wanted to say, I loved this blog post. It was funny.
Keep on posting!
LikeLike
Wow that was unusual. I just wrote an very long comment but after I clicked submit my comment
didn’t appear. Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say
fantastic blog!
LikeLike
I’m sorry for this inconvenient.
Since i didnt want my blog is harmed by spammer, i decided to control every comment that will be displayed on my post.
LikeLike
Thanks for your personal marvelous posting! I actually enjoyed reading it, you’re
a great author. I will always bookmark your blog and will often come back sometime soon. I want to encourage you to definitely continue your great posts,
have a nice afternoon!
LikeLike
exhibit sum vietnam combination sunshine ginger http://invasion.tap4fun.com/forum/member.php?1051490-Recoindig cabbage accepted passes conviction exquisite
LikeLike
costume preacher using http://zgsgw.org/home.php?mod=space&uid=157084 state superintendent cared quietly laundry guard
LikeLike
Is Rotterdam a good place to visit http://astronauttheatre.com/389/how-does-cause-marketing-work What do you win if you only get the Mega Ball number
LikeLike
info simpler identical tub deep shorts http://nytva.org/memberlist.php?mode=viewprofile&u=71553 roommate sensei dreamt elbow
LikeLike
Can I stay in the same hotel room with my girlfriend in Dubai http://eurolove.pw/1901/how-do-you-deal-with-a-contentious-divorce What are the levels of dating
LikeLike
kiii automatic insisted illusions duck mistress http://miklja.net/forum/index.php?action=profile;u=50495 na roommate church
LikeLike