THM Challenge

/robots.txt has some Disallows

User-agent: *
Disallow: /admin
Disallow: /todo

Admin is a rabbithole. todo actually has some info.

Looks like there’s a new feature that hasn’t been sufficiently tested for security holes.

Register an account to get a look at the member’s area

So we can upload a resume or send a request to the admin? Maybe that’s the form that’s being talked about in todo?

Let’s test this by sending an XSS payload

sent <script>alert(1)</script> in the content field

Interesting, we can review the report? Let’s see if our XSS fired!

So XXS is in play. If the admin is checking, maybe we can steal the cookies?

I’m going to use hookbin and this payload:

Sending that as the content of our request, let’s see if we get anything on our hookbin

Is that the cookie we want? Let’s see what happens if we use that one instead of the one we have

Now we can capture the flag :)