Tags: web cookie lfi 

Rating:

# WAFFED - 496 pts

### Description

I am tired of these investing platforms I literally lost all my btc on these platforms. can you hack these dudes and return my funds ?

author: pop_eax



The given link took me to a `http` site, the UI was awesome XD

![HOME PAGE](images/1.png)


clicking `learn more` directed us `/trade` page...
there we can see Graph of some trading algorithms, if u check carefully for each algorithm our COOKIE (price_feed) changes



![TRADE PAGE](images/2.png)


And the cookie is nothing but a base64 encoded values of the coin names.

Always check the source of the webpage... there we found a JavaScript function

```javascript
function switchCoin() {
window.location = "/changeFeed/" + document.getElementById("coinlist").value
}
```

It looks up the name of the coin in the subdirectory `changeFeed`

So why not try to change the value of the cookie `price_feed`

then I encoded `flag.txt` in base64 and added in the cookie field,
refreshing the webpage returned....

![WOOPS](images/5.png)


If the coin doesnt exist we get `WOOPS`

so the flag isnt in that subdirectory, so i encoded `../../../../../../../../flag.txt` in base64 and replaced the value of `price_feed`

![FLAG](images/6.png)


Inspecting the source we get the flag XD

```
flag{[email protected][email protected]_d0_Suck8245}
```

This is a [Local file inclusion vulnerability](!https://www.acunetix.com/blog/articles/local-file-inclusion-lfi/)

Original writeup (https://github.com/terawhiz/CTF-Writeups/tree/main/0x41414141-CTF/web/waffed#waffed---496-pts).