Rating:
Check out [https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#cute-srv](https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web-challenges.html#cute-srv) for writeup with images.
---
This challenge was fun, cute and straight-forward once the bug is found.
First we're presented with a page of cute photos and the nav bar allows us to
`Login` or `Submit` a new image for review.
Looking in the source, there's a `/flag.txt` route which must be the goal of
the challenge, but when visiting it we get a message `'Not Authorized'`.
If we visit `Login` we can click the only link available and it will
automatically log us in and redirect us to the main page.
on `/submit` it gives us the ability to submit a URL which the admin will
visit. This is typical in a lot of CSRF challenges, so we can start by checking
the User-Agent and other features when it visits our link, pointing to a server
we own or using something like [https://requestbin.io/](https://requestbin.io/).
Even if we find XSS, the site is using HttpOnly cookies, so we probably need to
find something else.
Checking out the `Login` route again while watching the requests, it does
something interesting. When requesting `/check` from the login service it will
include the session token in the URL, but does not restrict which URL it
redirects to. Using this bug we can force the Admin user to send their own
session token to our site instead.
We can use RequestBin again to steal the session token `authtok`, submitting this link to the admin:
Now we can reach the `/flag.txt` route which is only available to the admin:
```
curl https://cutesrv-0186d981.challenges.bsidessf.net/flag.txt \
-b 'loginsid=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRodG9rIiwiZXhwIjoxNjE4NDYyMjkyLCJpYXQiOjE2MTU3ODM4OTIsImlzcyI6ImxvZ2luc3ZjIiwibmJmIjoxNjE1NzgzODkyLCJzdWIiOiJhZG1pbiJ9.iA3lgwhmhOPNKh0_Wxmi923EOWdcUWcS-cIA_lxPhtExEGMeGkep3zweJ-MXtFyOwiDnMZ7Uuyuth9mFQ0lpMQ'
```
And we get the Flag!
```
FLAG: CTF{i_hope_you_made_it_through_2020_okay}
```
