Lawful Evil (lawful_evil) wrote,
Lawful Evil
lawful_evil

HackerOne CTF Petshop Pro

Easy and straightforward shopping.   A couple items you can add to a cart and checkout.   Playing with the cart a bit, we see that the cart/checkout conversation is a url encoded json.  I try replaying it but changing the costs so the kittens are free.  Boom, Flag0.
The index to the items in shop seems to be linear.   There may be hidden items as the current items are all indexed 0, 1, ...   We have seen that before and the hints point to hidden directories.   Download a list of common directories for fuzzing.   Its ordered on priority and 220k long.  Fortunately, inside 50 attempts, we find /login webpage.   Interestingly, we also find a bunch of nginx pages, perhaps related to how hackerone hosts these things (/static, /staticcamp, /statics, /staticpages, /staticseal_gd).
Its got a username/password set of creds to get in.   The error message says, "Invalid username".   Lets try a standard username list (85k entries) and filter out the results with that message.   This yields a single result... "nadya"
Setting that as username, we send a list of various passwords.   Eventually we discover 'maria' is the password and move onto the shop editting page.   Flag1 is there.
Flag 2 has hints pointing to errors and them not appearing on the page they originate with.   I can edit the page and put in XSS code for each input.   When I reload the store, I get the same old flag and XSS popups.   Lets try some other pages too.
Kitten <script>alert(1)</script>
8"x10" color glossy photograph<script>alert(2)</script> of a kitten.
Puppy<script>alert(3)</script>
8"x10" color <script>alert(4)</script>glossy photograph of a puppy.
When I add to the cart, I get forwarded to the add to card page and now I see the alerts and a flag showing.   Boom.
Tags: ctf, cybersecurity, hackerone, hacking, kitten, parameters, petshop, postbook, puppy
Subscribe
  • Post a new comment

    Error

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.
  • 2 comments