Tags: web 


# Angry Seam (500 pts)


The first page we can see is a login page. Hanging around a little, we can list a few interesting pages :
- The css.seam page take a filename as parameter.
- The logout button take a parameter that corresponds to "view:object.method" format.
- The report.seam page permits to send a URL to the administrator, but only URL that is intern to the application.

With the css.seam page, we can list directories and files at the root of the application :


Reading the WEB-INF/pages.xml, we can view that there is a flag.xhtml, and we can deduce there is a flag.seam too. However, we saw that we must be admin to access it.


The first thing I tried, with little hope, was to play with the session. **Logged in as lambda user**, I tried to go on register.seam and register with "admin" username.


Error message, the user is existing. But... it changed my session, and I'm logged in as admin now! I can browse the flag.seam as admin, and tada!, the flag.


I'm pretty sure this wasn't the intended way to solve this. But... I think it was the easiest way to do it! :)

_Blaklis from Fourchette-Bombe_

Original writeup (https://github.com/Blaklis/write-ups/tree/master/hitcon).