webeasy

Easy 6 - SiBears XSS School

spfctf

Task: XSS challenge with regex character blacklist filtering letters p,r,o,m,t,e and brackets. Solution: Bypass using JavaScript Unicode escapes (\u0065val) in identifiers and hex escapes (\x70) in strings to call eval(prompt("sibears")).

$ ls tags/ techniques/

filter_bypass xss javascript eval unicode_escape hex_escape sibears character_blacklist

unicode_escape_in_identifiershex_escape_in_stringsstring_context_breakoutcomment_injectionblacklist_bypass_via_encoding

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]