Recruiter

duckerz

Task: Resume submission site with reflected XSS and Telegram bot that visits submitted links. Solution: Exploit XSS to make HR bot fetch protected endpoint and exfiltrate flag via webhook.

xss csrf bot_exploitation data_exfiltration reflected_xss

reflected_xssadmin_bot_patterncsrf_via_xsswebhook_exfiltration

$ ls tags/ techniques/

xss csrf bot_exploitation data_exfiltration reflected_xss

reflected_xssadmin_bot_patterncsrf_via_xsswebhook_exfiltration

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][free]chained— tjctf
[web][Pro]RiceMatch— duckerz
[web][Pro]board_of_secrets— miptctf
[web][Pro]112 - Умный переулок (Smart Alley)— duckerz
[web][free]Trust Issues— tjctf