Due to a lack of CSRF mitigation and entity encoding in `wp-live-chat-support.php`, it is possible to execute scripts in the context of an admin user by including a script in the `cid` field in a GET request.

Super Mario Host is an SMB themed CTF created by mr_h4sh. The goal of the CTF is to discover the two hidden flags and to find the passwords of all the characters with accounts on the system.

Due to a lack of CSRF mitigation and entity encoding in `includes/admin_header.php`, it is possible to execute scripts in the context of an admin user by including a script in the `page` field in a POST request.

The Bobby CTF is based on a Windows XP Pro SP3 VM with the objective of retrieving the flag found somewhere within the administrator’s personal folder.

Host & Service DiscoveryTo start my analysis of this CTF, I booted into Kali and started Metasploit [msfconsole] and ran an Nmap SYN scan to locate the VM on the network: