SecurityFest CTF 2016

This blog contains a write up of the solution I used to solve the XSS challenge “Space XSS I – Web”. This challenge was hosted by coresec, Cybercom Group, kits, hackrone, assured and ESET

Challenge was hosted at URL: https://securityfest.ctf.rocks

<script>
var a = "<script>alert(1)</script>"; Hello ! πŸ™‚
</script>

To alert on page we have to close the first <script> by adding </script> in front of our value. So our new xss value will be xss=</script><script>alert(1)</script>

XSS-done

w00t! we got XSS on the website.

Copied URL “http://xss1.zpuoznbj3die.co.uk/?xss=%3C/script%3E%3Cscript%3Ealert%281%29%3C/script%3E” and click on Send XSS link for flag here.

We have to submit the URL that result in alert(1) on this page

submit-xss

Submitted the URL that result in XSS on the webpage and got message “Thanks! We’ll check it out in a while. If your link executes alert(1), the flag will be presented at index.php.”

submitted-xss

Clicked on index.php and got the flag

CODE{KRYSS_ESS_ESS_IS_SWEDISH_FOR_XSS}

got-flag

Leave a Reply

Your email address will not be published. Required fields are marked *