Petshop Pro

This web site is dead simple and barely functional. There are three links on the main page, one to the cart, and two more to add items to the cart:

Petshop Pro

3 items in cart

Kitten	Puppy
8"x10" color glossy photograph of a kitten.	8"x10" color glossy photograph of a puppy.
Add to Cart	Add to Cart

Navigating to the cart itself shows a list of items added, and a total. Curiously the total has an absurd amount of precision:

Finally, clicking the check out button sends a post request and opens a page with the message "Payments temporarily disabled":

Each of these pages contains a cookie with a session token:

session=.eJyrVkpOLCpRsoo20DHUMcAOY3WUcvNTMtMyU1OUrEqKSlNrAWxjDmE.ZjQ2dA.M_Mi-jLBlr0hx74ZqoeSM3qBTV0

Price: Free

I've started using Caido for this challenge. This makes it dead easy to intercept a request, modify it, and then send it onward. The post request when clicking on the check out button has the following structure:

[[0,+{"name":+"Kitten",+"desc":+"8\"x10\"+color+glossy+photograph+of+a+kitten.",+"logo":+"kitten.jpg",+"price":+0.00}],+[1,+{"name":+"Puppy",+"desc":+"8\"x10\"+color+glossy+photograph+of+a+puppy.",+"logo":+"puppy.jpg",+"price":+0.00}]]

What happens when the prices are set to zero?

Automation

Caido is great. In particular, the automate tab with a basic wordlist is a really nice tool to use for recon. For example, this website has a /login page that isn't linked to anywhere from the main page:

Navigating here, there's an admin login. Awesome.

Hand bombing a few common username and password combinations like "admin" and "12345" doesn't get past the login. But there is on important flaw -- They tell me that each of these usernames is incorrect. This means it will tell me when I find the correct username without also knowing the correct password. This dramatically reduces the search space required to brute force this login. This is going to require more attempts, and better pattern matching to the content of the page. For this reason, I'm switching to ffuf, a fuzzer with a ton of functionality. I'm using the SecLists wordlists for usernames and probable passwords:

ffuf -u https://9e29dab09e68723b8b2cea1b6d7b22d2.ctf.hacker101.com/login -w SecLists/Usernames/Names/names.txt -X POST -d "username=FUZZ&password=password" -H "Content-Type: application/x-www-form-urlencoded" -mr "Invalid password"

Awesome, the password is "cthrine".

ffuf -u https://9e29dab09e68723b8b2cea1b6d7b22d2.ctf.hacker101.com/login -w SecLists/Passwords/probable-v2-top12000.txt -X POST -d "username=cthrine&password=FUZZ" -H "Content-Type: application/x-www-form-urlencoded" -fr "Invalid password"

And the password is "marcy". Entering these into the login grants me access to the admin view of the main page.

Petshop Pro

0 items in cart

^FLAG^****************************************************************$FLAG$

Kitten	Puppy
8"x10" color glossy photograph of a kitten.	8"x10" color glossy photograph of a puppy.
Add to Cart — Edit	Add to Cart — Edit

Admin Reflected XSS

This admin view provides the ability to edit each item's name, description, and price. The first opportunity I see is a reflected XSS that can hit every user of this site. Replacing the name of the kitten product with <script>console.log(1);</script> successfully triggers the XSS on the home page, and when navigating through the rest of the checkout process the flag reveals itself in the cart: