![\"dashboard\"](\"https:\/\/i2.wp.com\/farm5.staticflickr.com\/4494\/37744422056_fac6e16e55_b.jpg?w=756&ssl=1\")
\nNext, we can click on the link available on the homepage that directs us to the fortress page. Notice that in this page the link to the Blog in the main menu is disabled to us. This means that we need higher privileges to access this.<\/p>\n
This penetration test assignment is done for the OM NOM NOM NOM Challenge of CYSCA2014. When we hear the term OM NOM NOM NOM what comes to our mind, is that that is the sound made by the cookie monster on the \u201cSesame Street\u201d TV show. So this could be something to do with cookies.<\/p>\n
To get started with the CYSCA 2014 we need to set up the static IP address configurations in the CYSCA2014 Box and restart it.<\/p>\n
I have changed my IP in the Linux Box to 192.168.1.5. Also I have started Burpsuite and configured the browser to allow Burpsuite to intercept the requests and responses sent to our target website.<\/p>\n
\nNext, we can click on the link available on the homepage that directs us to the fortress page. Notice that in this page the link to the Blog in the main menu is disabled to us. This means that we need higher privileges to access this.<\/p>\n
![\"blog\"](\"https:\/\/i0.wp.com\/farm5.staticflickr.com\/4491\/37535091660_9c77dbbcc1_z.jpg?w=756&ssl=1\")
\nIn order to access the blog, we will need to intercept the requests sent from the initial website to the fortress website. This could be done by changing the vip query parameter from 0 to 1. An easier way to do this by setting the cookie by navigating to Project Options -> Sessions -> Cookie jar and editing the value corresponding to the \u2018vip\u2019 attribute in Burpsuite. This did not work for me hence I had to do it manually by changing every request\u2019s vip value from 0 to 1.<\/p>\n
![\"\"](\"https:\/\/i2.wp.com\/farm5.staticflickr.com\/4444\/23940554358_645aae52c0_z.jpg?w=756&ssl=1\")
\nThe above screenshot shows how the cookie can be edited.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/farm5.staticflickr.com\/4445\/37745631736_92a6a3a681_b.jpg?w=756&ssl=1\")
\nAbove screenshot shows how the cookie attribute \u2018vip\u2019 was changed to 1. By doing so we can access the blog. Under the blog section, we click on the \u2018New feature\u2019 link.<\/p>\n
![](\"https:\/\/i2.wp.com\/farm5.staticflickr.com\/4486\/37792984601_be03aa9b7f_b.jpg?w=756&ssl=1\")
\nThe new features section allows us to post comments. (By the way, we need to make sure we intercept and change the value of the vip attribute every time a link and every time, it shows up in burpsuite to forward or drop a request. Otherwise we would be automatically signed off.) This comments section allows us to type anything we want. Let us see if there are any XSS vulnerability that we can exploit.<\/p>\n
![](\"https:\/\/i1.wp.com\/farm5.staticflickr.com\/4473\/37746443506_614dd4b5ac_b.jpg?w=756&ssl=1\")
\nAfter the script was typed in and the add comment was clicked, this showed up. Now we know there is a XSS vulnerability. Let us execute some code to steal the cookie<\/p>\n
![](\"https:\/\/i0.wp.com\/farm5.staticflickr.com\/4485\/37792960991_67c1b27219_b.jpg?w=756&ssl=1\")
\nThis is the script written to steal the cookie.<\/p>\n
![](\"https:\/\/i2.wp.com\/farm5.staticflickr.com\/4465\/37763308792_a4e66ab816_b.jpg?w=756&ssl=1\")
\nNext, we set up the webserver and post a comment that uses the script in our server to steal the cookie.<\/p>\n
![](\"https:\/\/i1.wp.com\/farm5.staticflickr.com\/4460\/37744380046_f20a86de62_b.jpg?w=756&ssl=1\")
\nOnce we do this we can see the cookies in our terminal window. The first one is the cookie of the current user. So that is no use.<\/p>\n
![](\"https:\/\/i0.wp.com\/farm5.staticflickr.com\/4447\/37085725794_1c72ecf427_b.jpg?w=756&ssl=1\")
\nSo, let us copy another cookie into the current cookie in our Burpsuite cookie jar.<\/p>\n
![](\"https:\/\/i2.wp.com\/farm5.staticflickr.com\/4483\/37744372266_5947544b88_b.jpg?w=756&ssl=1\")
\nNow when we refresh the page, we can see the flag. So now we have captured the flag<\/p>\n
![](\"https:\/\/i2.wp.com\/farm5.staticflickr.com\/4480\/37744360026_b8dd718088_b.jpg?w=756&ssl=1\")
<\/p>\n","protected":false},"excerpt":{"rendered":"
This penetration test assignment is done for the OM NOM NOM NOM Challenge of CYSCA2014. When we hear the term OM NOM NOM NOM what comes to our mind, is that that is the sound made by the cookie monster on the \u201cSesame Street\u201d TV show. So this could be something to do with cookies. […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","footnotes":""},"categories":[2,3,5,6],"tags":[],"class_list":["post-76","post","type-post","status-publish","format-standard","hentry","category-ctf","category-dev","category-infosec","category-network"],"yoast_head":"\n