This challenge starts with a website that presents a list of jobs (once connected). Our goal is to login as an administrator. Here is the landing page:

The dashboard

Right of the bat, we see a login link, and a contact link. The contact page seems interesting, and after toying around with some XSS payloads, we quickly find that a bot clicks on any link that is passed as a message.

Clicking the login button prompts us for a username and password; the test/test combination works. We’re greeted with a list of jobs:

The available jobs

Now the authentication system looks like OAuth, which is quite complicated. Let’s look at the URLs called when logging in:

  • POST, with the params:
  • GET, with the single param code=FOOdZjenThSgRBOBmbP2jB2TOzxb79xNNbFyi24h3I1DPuD5
  • GET, with the params:

The first URL (the login form) redirects to the second, and the second to the third.

If we assume that the bot will sign in when presented with the login form, the redirect_uri parameter gets really interesting. We could just change it to a URI on our server, and get a code allowing us to login with the account that the bot uses.

Replacing the URI with a custom one yields the following error:

invalid_request: Invalid "redirect_uri" in request.

However, we seem to be able to change the path, eg:

So if we find an open redirect on the server, we can get the code. Looking more closely at the list of jobs, we find that clicking on one redirects to:

After creating a request bin, we can replace the example domain:

Opening that link seems to work! We have everything we need now, let’s craft our malicious URL:

And send it to the bot. After a few seconds, we see:


Great! Now we just have to open in our browser, and we’re logged in!

We see:

The secret job

The flag is DontRollYourOwn.

View all of the DG’hAck articles.