This month’s Intigriti challenge was made by the amazing Terjanq. He made a cool write-up himself here! As expected, this challenge was out of the ordinary. Complex, frustrating, and super interesting.
Disclaimer: I wrote this write-up instead of sleeping, so I apologize in advance for typos and confusing sentences.
For the latest addition to YesWeHack’s Dojo series, we’re faced with the challenge of fetching the secret that EvilCorp2.0 is storing on the
/secret endpoint. To obtain this secret, we need to find a way through the security mechanisms that EvilCorp2.0 has put in place for their small app. …
The rules are as follows:
A new month, a new challenge. Eager for a new Intigriti challenge I was happy to finally see this tweet:
Let’s jump in and read the rules!
Not in the mood for reading? Fair enough, here’s the solution:
PoC URL: https://bugpoc.com/poc#bp-DAPAxYtZ
Well would you look at that. A *wild* XSS challenge has appeared and it looks like my weekend plans has to be scrapped.
Let’s start by checking out the challenge page:
Just show me to the solutions already!
Solution #2 | No user-interaction
Solution #3 | An unintended solution
Solution #3.5 | A different approach to getting XSS
It’s December and this year Christmas came early! …
Just show me the solution already!
Fair enough, here you go:
PoC URL: https://bugpoc.com/poc#bp-yWlmd3py
On 11/04, BugPoC’s latest contribution to their CTF collection kicked off. I was eagerly waiting for the challenge to go live and finally, a tweet came in:
The rules were as follows: