Cyber Apocalypse CTF 2022 — Web — Kryptos Support Write-up

Prompt:

Kryptos Support
The secret vault used by the Longhir’s planet council, Kryptos, contains some very sensitive state secrets that Virgil and Ramona are after to prove the injustice performed by the commission. Ulysses performed an initial recon at their request and found a support portal for the vault. Can you take a look if you can infiltrate this system?

Start:

It is a web challange and there is no source code to download and test it locally. So we will attack without any code review..

The website looks like that.

As it is ticket system, first thought was we are sending something to admin and he will review it. So it is good point to try XSS.

I’m opening a webhook website and writing my payload to check if admins click it.

And yes, I steal the cookie.. So from developer tools, we can set our cookie to login as admin..

We are seeing the tickets but they are not interactive, so I’m clickling to settings and there is a portal which helps to change our password.

When I examine it via burp, I saw there is only uid and password datas going to the server, so we can’t understand even we change the uid.. But as you know, almost all website admin has 1 or sometimes 0 for uid. So I’m changing it to 1..

And Boom.. There is an idor vulnerability which helps us to change admin’s password..

We are logging in as admin from /login path

and we are catching the flag of this challenge..