Compojoom, developers of CompojoomComment, opened up a contest to hack their comment component. After being alerted to the contest by my good friend Lafrance, I took a peek and had a working XSS exploit within 16 minutes, and after a bit of refining I managed to really mess things up. ;)
After the hackme site was no longer pointing to my domain, I started poking around at any type of request I could find. This lead to a not-so-impressive reflective XSS in the search function. Score 2, but upon further investigation I found a way to include local files for execution. Lucky for Compojoom /proc/self/environ was blocked (though /etc/passwd was not).
I was chatting with a friend about the contest (wassup DrDigital) and he jokingly suggested that I go for the first 5. My Discordian instincts kicked in and I figured, what the hell - let's give it one more go. I went back to my first attack, the malformed BBCode, and wondered if I'd exhausted all my options. I started poking around and bam - I managed to get another code injection! This time it took a set of 3 different BBCodes (url, img and color) to be able to inject html attributes, but I once again had the contest site pointing back at mine.