MULTI-STAGE EXPLOIT CHAINLEVEL 5

TrustNet SSO

Enterprise Single Sign-On platform. Authenticate with your credentials and access the admin dashboard.

Demo: user / user2024

Attack Chain

1
Info Leak

Discover session ID generation algorithm via debug endpoint

2
Open Redirect

Find and exploit the open redirect in /redirect

3
Session Fixation

Fix admin's session via /api/auth/callback

4
Privilege Escalation

Access admin secrets with the fixated session

API Endpoints

POST /api/auth/loginLogin with credentials
GET /api/auth/sessionCurrent session info
GET /api/auth/callback?sid=X&return_to=YSSO callback (sets session)
GET /redirect?url=XURL redirect service
GET /api/debug/session-infoDebug: session generation info
POST /api/report-linkReport link to admin bot
GET /api/admin/secretsAdmin panel (requires admin session)

Submit Flag