Kitty

Challenge Description :

visiting the web page we stumble upon a login page

basic sql injection payload bypasses the login

" or 1=1--;

when we login we are redirected to the dashboard page where we can add posts through the input at the bottom

in the beginning i was trying stored xss to steal the admin's cookie but when i refreshed the page all the posts added where not stored on the server so i opened the source code to see if there's any javascript code

<script>
    function addPost(event) {
        event.preventDefault();
        const post_in = document.getElementById('post_input').value;
        
        if (post_in.startsWith('cat flag.txt')) {
            fetch('/execute', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded'
                },
                body: `post_input=${encodeURIComponent(post_in)}`
            })
            .then(response => response.text())
            .then(result => {
                const contentSection = document.querySelector('.content');
                const newPost = document.createElement('div');
                newPost.classList.add('post');
                newPost.innerHTML = `<h3>Flag Post</h3><p>${result}</p>`;
                contentSection.appendChild(newPost);
            });
        } else {
            const contentSection = document.querySelector('.content');
            const newPost = document.createElement('div');
            newPost.classList.add('post');
            newPost.innerHTML = `<h3>User Post</h3><p>${post_in}</p>`;
            contentSection.appendChild(newPost);
        }
    }
</script>

so reading the code we can see that executing cat flag.txt will output the flag

Flag :

KCTF{Fram3S_n3vE9_L1e_4_toGEtH3R}