The Karma Trader is the world's best way to reward people for good deeds: https://level04-2.stripe-ctf.com/user-skvqkemtfn. You can sign up for an account, and start transferring karma to people who you think are doing good in the world. In order to ensure you're transferring karma only to good people, transferring karma to a user will also reveal your password to him or her.
The very active user karma_fountain has infinite karma, making it a ripe account to obtain (no one will notice a few extra karma trades here and there). The password for karma_fountain's account will give you access to Level 5.
You can obtain the full, runnable source for the Karma Trader from git clone https://level04-2.stripe-ctf.com/user-skvqkemtfn/level04-code. We've included the most important files below.
This one was a blast to do. The key lied not in the code but the hints in the text above. Specificly:
The very active user karma_fountain has infinite karma
and this part of text:
In order to ensure you're transferring karma only to good people, transferring karma to a user will also reveal your password to him or her.
This turned out to be a bot that actually ran. Given the following bit of code (Lines 155-161):
unless username && password
die("Please specify both a username and a password.", :register)
end
unless username =~ /^\w+$/
die("Invalid username. Usernames must match /^\w+$/", :register)
end
You couldn't use persistant XSS on the username, but you could use it on the password which would be revealed to the bot when you sent it some karma.
Thus, it was just a matter of imputing data into the form on the page, and submitting on behalf of the bot using JS XSS. ;)