═══════════════════════════════════════════════════════════════════════════════ 🎯 PASTEBOARD XSS - CDP EXPLOIT PAYLOAD ═══════════════════════════════════════════════════════════════════════════════ Challenge URL: https://pasteboard-1fb68b7836775bea.chals.uoftctf.org/ Webhook: https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078 ═══════════════════════════════════════════════════════════════════════════════ 📋 INSTRUCTIONS ═══════════════════════════════════════════════════════════════════════════════ 1. Go to: https://pasteboard-1fb68b7836775bea.chals.uoftctf.org/note/new 2. Paste the PAYLOAD (below) into the "Body" field 3. Click "Create Note" 4. Copy the note URL (e.g., https://pasteboard-.../note/XXXX) 5. Go to: https://pasteboard-1fb68b7836775bea.chals.uoftctf.org/report 6. Paste the note URL and submit 7. Check your webhook: https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078 ═══════════════════════════════════════════════════════════════════════════════ 🚀 PAYLOAD (Copy everything below) ═══════════════════════════════════════════════════════════════════════════════

═══════════════════════════════════════════════════════════════════════════════ 🔍 WHAT TO LOOK FOR IN WEBHOOK ═══════════════════════════════════════════════════════════════════════════════ SUCCESS INDICATORS: ✅ URL parameter "FLAG=" → You got it! Example: https://webhook.site/...?FLAG=uoftctf{...} ✅ URL parameter "step=debug_port_open" → CDP is available via HTTP Check POST body for debugging info ⚠️ URL parameter "error=cdp_import_failed" → CDP import didn't work Check the "msg" parameter for error details 📊 POST request with JSON body → Fallback data (cookie, localStorage, etc.) Indicates CDP didn't work but XSS is executing ═══════════════════════════════════════════════════════════════════════════════ 🧪 WHAT THE PAYLOAD DOES ═══════════════════════════════════════════════════════════════════════════════ The payload executes 3 strategies in sequence: 1. CHECK FOR CDP DEBUGGING PORT - Tries to connect to localhost:9222/json - If open, sends debug info to webhook 2. IMPORT DEVTOOLS AND READ FLAG (Main Strategy) - Imports Chrome's internal /devtools/main/main.js - Uses CDP SendOverProtocol to execute: * process.env.FLAG (environment variable) * require('fs').readFileSync('/app/flag.txt') - Sends flag to webhook with ?FLAG= parameter 3. FALLBACK: CHECK STANDARD LOCATIONS - Reads document.cookie, localStorage, window.FLAG - Sends to webhook as POST JSON - This will work even if CDP fails ═══════════════════════════════════════════════════════════════════════════════ ⏱️ TIMING ═══════════════════════════════════════════════════════════════════════════════ - Bot visits the page and stays for 30 seconds - Payload executes immediately on page load - Webhook should receive requests within 1-2 seconds - Keep webhook tab open and watch for incoming requests ═══════════════════════════════════════════════════════════════════════════════ 🎯 EXPECTED RESULT ═══════════════════════════════════════════════════════════════════════════════ Most likely scenario: → Webhook receives: https://webhook.site/...?FLAG=uoftctf{actual_flag_here} Alternative scenarios: → Webhook receives POST with debugging info if CDP port is open → Webhook receives error message if CDP doesn't work → Webhook receives JSON with cookie/localStorage (probably empty) ═══════════════════════════════════════════════════════════════════════════════ 📝 TROUBLESHOOTING ═══════════════════════════════════════════════════════════════════════════════ If you don't get the flag: 1. Check if webhook received ANY request - No request = XSS might not have triggered - Request but no flag = CDP might not be available 2. Check the error message in webhook - Look for "error=cdp_import_failed" - The error message might give clues 3. Try alternative approaches (other exploit scripts available) - CDP_EXPLOIT_1_chrome_inspect.py (navigate to chrome://) - CDP_EXPLOIT_2_debugging_port.py (check debugging port only) ═══════════════════════════════════════════════════════════════════════════════ 🚩 GOOD LUCK! ═══════════════════════════════════════════════════════════════════════════════ The flag should be in process.env.FLAG on the remote server. Your XSS works perfectly - now CDP will get you the flag! 🎯