2014 CySCA Om Nom Nom

This penetration test assignment is done for the OM NOM NOM NOM Challenge of CYSCA2014. When we hear the term OM NOM NOM NOM what comes to our mind, is that that is the sound made by the cookie monster on the “Sesame Street” TV show. So this could be something to do with cookies.

To get started with the CYSCA 2014 we need to set up the static IP address configurations in the CYSCA2014 Box and restart it.

I have changed my IP in the Linux Box to 192.168.1.5. Also I have started Burpsuite and configured the browser to allow Burpsuite to intercept the requests and responses sent to our target website.

dashboard
Next, we can click on the link available on the homepage that directs us to the fortress page. Notice that in this page the link to the Blog in the main menu is disabled to us. This means that we need higher privileges to access this.

blog
In order to access the blog, we will need to intercept the requests sent from the initial website to the fortress website. This could be done by changing the vip query parameter from 0 to 1. An easier way to do this by setting the cookie by navigating to Project Options -> Sessions -> Cookie jar and editing the value corresponding to the ‘vip’ attribute in Burpsuite. This did not work for me hence I had to do it manually by changing every request’s vip value from 0 to 1.


The above screenshot shows how the cookie can be edited.


Above screenshot shows how the cookie attribute ‘vip’ was changed to 1. By doing so we can access the blog. Under the blog section, we click on the ‘New feature’ link.


The new features section allows us to post comments. (By the way, we need to make sure we intercept and change the value of the vip attribute every time a link and every time, it shows up in burpsuite to forward or drop a request. Otherwise we would be automatically signed off.) This comments section allows us to type anything we want. Let us see if there are any XSS vulnerability that we can exploit.


After the script was typed in and the add comment was clicked, this showed up. Now we know there is a XSS vulnerability. Let us execute some code to steal the cookie


This is the script written to steal the cookie.


Next, we set up the webserver and post a comment that uses the script in our server to steal the cookie.


Once we do this we can see the cookies in our terminal window. The first one is the cookie of the current user. So that is no use.


So, let us copy another cookie into the current cookie in our Burpsuite cookie jar.


Now when we refresh the page, we can see the flag. So now we have captured the flag