Lazy loading images + Scroll to Text Fragment XSLeak.
With Water Paddler.
We can upload images, make "notes" containing this image and a title, and share this "notes" with an authed bot displaying the flag in its footer.
Lazy loading images + Scroll to Text Fragment XSLeak.
With Water Paddler.
We can upload images, make "notes" containing this image and a title, and share this "notes" with an authed bot displaying the flag in its footer.
map /hello-from-the-world/key http://127.0.0.1:80/forbidden
map /hello-from-the-world/ http://127.0.0.1:80
map /service-info/admin http://127.0.0.1:5000/forbidden
map /service-info/ http://127.0.0.1:5000/
Mapping /hello-from-the-world/
to http://127.0.0.1:80
(without the last slash) makes /hello-from-the-world//key
not to match the first rule but provides a valid path to the second rule. This let us get the key:
This month's challenge consists of the exploitiation of a custom js code hosted on a document with a Halloween style. In overview we'll be injecting JS inside a <script>
tag (thanks to an interesting detail in the CSP) that was previously injected into a document's div's innerHTML
.
The solution of this challenge has been found in collaboration with @carlospolopm.
from discord import Client, CategoryChannel | |
import discord.utils | |
from time import sleep | |
import threading | |
import asyncio | |
import os | |
class Bot(Client): | |
guild = None | |
guild_id = os.getenv("DISCORD_GUILD_ID", None) |
#!/bin/bash | |
if [ "$#" -ne 1 ]; then | |
echo "Illegal number of parameters" | |
echo "./{} INTERFACE" | |
fi | |
interface=$1 | |
if (( EUID != 0 )); then |
from selenium import webdriver | |
from selenium.webdriver.common.keys import Keys | |
from selenium.webdriver.common.by import By | |
from selenium.webdriver.support.ui import WebDriverWait | |
from selenium.webdriver.support import expected_conditions as ec | |
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities | |
import random, string, subprocess | |
def random_string(length): | |
return ''.join(random.choices(string.ascii_lowercase + string.digits, k=length)) |
from selenium import webdriver | |
from selenium.webdriver.common.keys import Keys | |
from selenium.webdriver.common.by import By | |
from selenium.webdriver.support.ui import WebDriverWait | |
from selenium.webdriver.support import expected_conditions as ec | |
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities | |
import random, string | |
import requests | |
def random_string(length): |
<html> | |
<head> | |
<meta charset="UTF-8"> | |
</head> | |
<body> | |
<script> | |
const localURL = "https://127.0.0.1:4000" |
Moved to my blog.