Easy and straightforward shopping. A couple items you can add to a cart and checkout. Playing with the cart a bit, we see that the cart/checkout conversation is a url encoded json. I try replaying it but changing the costs so the kittens are free. Boom, Flag0.
The index to the items in shop seems to be linear. There may be hidden items as the current items are all indexed 0, 1, ... We have seen that before and the hints point to hidden directories. Download a list of common directories for fuzzing. Its ordered on priority and 220k long. Fortunately, inside 50 attempts, we find /login webpage. Interestingly, we also find a bunch of nginx pages, perhaps related to how hackerone hosts these things (/static, /staticcamp, /statics, /staticpages, /staticseal_gd).
Its got a username/password set of creds to get in. The error message says, "Invalid username". Lets try a standard username list (85k entries) and filter out the results with that message. This yields a single result... "nadya"
Setting that as username, we send a list of various passwords. Eventually we discover 'maria' is the password and move onto the shop editting page. Flag1 is there.
Flag 2 has hints pointing to errors and them not appearing on the page they originate with. I can edit the page and put in XSS code for each input. When I reload the store, I get the same old flag and XSS popups. Lets try some other pages too.
8"x10" color glossy photograph<script>alert(2)</script> of a kitten.
8"x10" color <script>alert(4)</script>glossy photograph of a puppy.
When I add to the cart, I get forwarded to the add to card page and now I see the alerts and a flag showing. Boom.