Rating: 4.0

A link was provided to https://imgr.pwn.institute/, a not-yet-finished image sharing social networking site.

There were two pages available, /login and /register. The login form didn't accept any silly input (admin:password) so I registered an account and logged in.

It seemed the homepage was empty and the only functionality offered was to upload a profile picture on the /profile page, and submit a link to report any bugs to the developers on the /report page. I checked to see the login state appeared to be saved in a JWT cookie on the browser which was **not** set to HTTP only.

From this it seemed clear the solution was going to involve sending a link to the developers using the report feature, to a page that contained a XSS attack to leak their session cookie and thus allow me to login to the service as some form of elevated user. It seemed clear the only avenue I had of achieving a XSS was uploading some form of malicious image. Taking a look at the image upload form it appeared to allow anything to be uploaded as long as it had a JPG extension. I played around with possible uploads for a while, but of course I would need to link to a page that contained the image (assuming I could get an XSS from an image...) and at the moment it wasn't clear what that page would be as the /profile page would of course point to *their* profile not mine...

Looking around within the HTML code of the homepage I spotted the following HTML comment  which of course answered this question! This page allowed you to pass an image id in the URL which could be taken from the URL of the profile image after uploading, and appeared to output the metadata (*exif* data) of that image into the page... bingo!

I used exiftool to create a proof of concept JPG with a simple hello world value set as the image description within the metadata of the file, and sure enough after uploading the file and going to the /imageinfo/<imageid> endpoint, I saw a bold **hello world** in the page. With the proof of concept done the final steps were just to upload a suitable payload and submit the link to the developers.

I opted for a payload in the JPG's exif data that looked as so , uploaded the image as my profile picture, noted the id of the uploaded image, went to /imageinfo/<imageid> and I saw my request fire out to my server with my cookie! I copied the url of the page and submitted it using the report feature. A few seconds later, I saw a request come in containing the flag - no need to log in with a cookie to get it after all, the developer's cookie was the flag.