pastebin-1

Description

In this challenge there is a pastebin service in which you can post your message and get a shareable link to your post. The admin bot will visit the URL you submit to it.

Solution

The pastebin executes any javascript passed to it. XSS is possible. We can leverage this to access the admin bot's cookie when it visits our URL. Setup a webhook to receive the request.

index

Submit the link to our paste to the admin bot

index

Javascript will try to load the image from the URL, passing cookie information along with it.

index

URL decode to get the flag.

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search