You can create and search your note, if there is a match you will be redirected to the note page by client redirection:setTimeout(() => location = '{note_page}', 1000)
Regarding the bot part, although it looks like you can only send it the link with prefix http://123.60.29.171:10001, but it's not the truth.
I think that's why they are giving the bot source code:
5 seconds is not enough for all possibilities(38 chars), so I need to manually send it to bot twice to just leak one character.
I believe their is a faster way to do this, but I am too lazy to explore, so I just send it manually for few times.
The most time-consuming part is the reCAPTCHA, it took me about 80% of the time for leaking the whole flag(10% writing exploit, 10% submitting the form).
You can create and search your note, if there is a match you will be redirected to the note page by client redirection:
setTimeout(() => location = '{note_page}', 1000)
Regarding the bot part, although it looks like you can only send it the link with prefix
http://123.60.29.171:10001
, but it's not the truth.I think that's why they are giving the bot source code:
The important part is here:
let url = new URL(path, site)
, according to the docs:So, by sending the absolute URL, you can let bot visit any links, no need to find an XSS on the note site(and I don't think there is).
If we can detect the redirection, we can leak the flag char by char. I used the
history.length
trick mentioned in XS-Leaks.You just open a window and then redirect back to your origin, then you can access
history.length
to see if redirection occurs.Here is the my payload:
5 seconds is not enough for all possibilities(38 chars), so I need to manually send it to bot twice to just leak one character.
I believe their is a faster way to do this, but I am too lazy to explore, so I just send it manually for few times.
The most time-consuming part is the reCAPTCHA, it took me about 80% of the time for leaking the whole flag(10% writing exploit, 10% submitting the form).
Fortunately, the flag is short.