# Xmas Still Stands
**50 Points**

In this challenge we have a web page that have **Home Post Report

pages so we have an idea of what we have to do we post a malicious

payload that steal the cookie then report the post so that the admin

can see it and the payload executes and steal his cookie.

we first see if we can post HTML tags and we can then we post an img

tag with invalid src and tell it to send the document cookie on

error to our server or domain in this challenge lam using post bin.


when we submit the query we get the id of our post


we report the post with the post id


we now go check our bin if we got any request


we go and add these cookie from storage toolbar


we then navigate to Admin page and we get the flag



Original writeup (https://github.com/zhassan6992/angstromCTF2020-writeup/tree/master/web/Xmas%20Still%20Stands).