SpookTastic

OVERVIEW

So we were given instance and a file to download so let’s do it and checkout the website and the content of the file we downloaded

Since most of the buttons are just not useful we see a newsletter functionality

Its accepting the mail but it is the only thing that is working in this site so let’s check out the contents of the downloaded file:

In bot.html file There is a Stored Cross-Site Scripting (XSS) vulnerability. A user-supplied data is stored and later rendered unescaped into HTML with |safe, enabling persistent script execution for any user/bot that views the page

The template uses {{ email|safe }}, which tells Jinja2 to render the value without escaping HTML. That allows injected HTML/JS to be preserved and executed by any browser that renders the template.

A headless browser (bot) that visits the page and captures alert() output.

So Let’s try the below XSS payload to trigger this alert output through newsletter functionality.

<img src=x onerror="alert(document.body.innerText)">

Now let’s check it by submitting it:

Its got successfully executed

So now again click on ok button and it will result in flag because When this payload was stored as an email entry and the bot later visited the /bot view, the image triggered an onerror event and executed the alert(...). The below alert box shown by the bot contained the challenge flag: