Cyber Apocalypse 2022 — Kryptos Support

This challenge was in the “Web” category of Cyber Apocalypse CTF and has the following description:

Landing Page

The landing page shows an input box, for reporting an issue:

The web app also have a functionality to login. So at that point I have thought about XSS and that is what I have tried to exploit.

Exploiting XSS

First I have started a HTTP Server on port 8000 and started Ngrok to make that web server accessable from the Internet.

First I have created a payload to retrive the cookie:

Next I have created a payload to retrieve the contents of the web page, which the user is looking at:

And I have received the cookie and the contents of the cookie:

The cookie was in JWT format and I was able to decode it with a JWT decoder:

It showed that the username is “moderator”. But I was not able to use that cookie to login as moderator. So I had to try another way in.

In HTML code of the web page showed me that there is a settings-page at /settings.

Tampering with the settings page

Now I have created a third payload to retrieve the settings page in base64 encoded format:

The payload will send me the base64 encoded string a GET parameter called “settings” to my web server. After waiting for a bit, I was able to retrieve the content:

The decoded code:

As you can see it contains a form to reset the password. There is also a settings.js file located at /static/js/settings.js, which could be requested without authentication:

It sends JSON data with new password and uid to the endpoint /api/users/update via POST to reset the password. So I have implemented the same functionality to reset the moderator’s password to “Password123”:

After waiting for the request to my web server, I have used the credentials moderator:Password123 to login to the web page:

Getting Admin

Unfortunatly this was not enough to get the flag. So I have navigated to the settings page and intercepted a password reset request:

As you can see the request also contains the uid. So I have send that request to the Repeater to test other UIDs. I have started with 0, but it was not successfull. With UID 1 I was able to reset admin’s password and then login with admin:Password123 to retrieve the flag: