The application sets two cookies:

  • chat_id: UUID used to identify the chat log currently in use.
  • secret: The one that potentially holds the flag on Bratt’s side.

Cookies being set

From this, we can assume that our goal is to get Bratt’s secret cookie.

My first thought was to exploit XSS. A quick smoke test on the application confirmed that it was vulnerable to XSS:

<img src=x onerror=alert(1)>

Now that I knew that triggering XSS was very simple, I tried using an XSS hunter payload and a little while later, we see that Bratt got hooked:

Got a hit on XSS hunter

Got the Bratt’s secret cookie

The flag was: utflag{95debad95cfb106081f33ceadc36bf9c}