We need to gain access to the CVO (Angelina’s) account. In order to do this, we
most likely will need to steal a cookie. We take a look in the leave details
section and put in a leave request to see if it’s XSS protected. Additionally,
we notice that the session cookie on this website is not
HTTPOnly cookies, hence, if it
was HTTP Only, we would be looking in the wrong place.
We do the naive thing and just put
<h1>Hello</h1> in. However, the ticker spits
WARNING: XSS detected! You have been reported.. Additionally, it appears
the XSS is stripped client side too.
Now that we’re logged in, lets take a poke around and see what we’re dealing with. There appears to be sections to:
We need to obtain a working account on the system.
We Register with the following details:
We notice a message at the top:
Continue reading →
Account Registered - Awaiting IT approval.
Our WebSec foo tells us we should have a look in robots.txt. Not only that, but the title does give this one away - Bots.
Lets take a look in these.
/admin- Nothing here, just a picture
/backup- Nothing here, just another picture
/protected- Reveals the flag