Challenge page
Challenge page
Challenge page

This month’s (May 2021) XSS challenge by Intigriti was created by me (with some additions by Inti). In this article, I will explain my solution for the challenge and the tips that were given.


In the application, two random numbers are given and the sum of the first number plus the user’s input, had to result in the second number. After clicking submit, a progress bar is shown, and when it’s full. The user will receive a message.

If the equation was correct, the message will state that the user is not a robot. …

Reverse shell interface
Reverse shell interface
Reverse shell interface

Before you start reading this article, please keep in mind that this is a very basic reverse shell, and still needs a lot of work to get the most out of it. A few of the limitations are:

  • Errors could occur if more the payload is active on multiple pages. The payload gets executed on all pages where it’s active, but the multiple pages could be distinct from each other, and when they all send back their response, only one of them is saved by the interface.
  • The reverse shell interface is made to be placed on a webserver, which…

In this post, I will explain how I found an authentication bypass, and further explored the functionality of the website, to higher the impact of the submission.

The target had a wide scope and the main domain did not have that much functionality, so after a quick look around, I started enumerating subdomains, and Google dorking with the following search query inurl:redacted. During the Google dork I found the following domain: Then I narrowed my search query to One of the domains I found with this Google search, was a site that displayed something like “Loading data…”. I…

Table of contents


As always, I started with reading the rules. The goal is to alert() the following flag: {THIS_IS_THE_FLAG}. Hmm.. this is new! With the previous challenges I’ve solved the goal was to execute document.domain. The solution should leverage a cross site scripting vulnerability on this page, shouldn’t be self-xss or related to MiTM attacks, and should work on the latest version of Firefox and Chrome.

Explaining the code

After reading the rules, I would normally use the webpage like it’s intended to be used but at first sight, there doesn’t seem…

Why does my title say “Hacking” when it’s just an XSS challenge? Because I didn’t solve the challenge, I hacked the game.

When you open the challenge page, the first thing you see is this:

Challenge page
Challenge page
Challenge page

This is a game called “18 Game” and its goal is to have three cards of which the sum adds up to 18. This is done by selecting one card from each pile, and after your three cards are selected, you will know if you’ve won or not.

So is there a strategy of some sort to win this game? No. The cards that you…

While I was reading some of Inti De Ceukelaire’s old writeups, I came across “How I got your phone number through Facebook”. Facebook’s reply on his submission was that the “Who can look me up” settings are set to Public.

Who can look me up privacy settings
Who can look me up privacy settings
Who can look me up privacy settings

After reading this, I decided to have a look at the “Who can look me up settings. I set them to “Only me” and started testing whether it does what it is supposed to do. The first thing I did was log out and try the password reset function. I filled in my phone number and there it was, my…

As always, I started with reading the rules. The goal is to execute alert(document.domain) on the domain. Self XSS and MiTM attacks are not in scope, and the solution should work on the latest version of Firefox and Chrome.

Challenge page
Challenge page
Challenge page

The first thing I did was using the calculator like it’s supposed to be used, to see how it reacts on my input. It looks like the first number, the operator and the second number of the calculation are set as parameters in the URL. …

Like you should do with every challenge, I started with reading the rules. Those were clear. The goal was to execute alert(document.domain) on the domain, without using self-xss or MiTM attacks. The attack should work in the latest version of Chrome and Firefox.

While looking at the html of the page, I quickly noticed that the QR code was an iframe with a page that accepts a parameter ‘URL’ in the URL and displays the URL in the form of a QR code. When the code is clicked, the url will be opened in a new tab.

When I started with bug bounty hunting, I became interested in all bugs related to URLs, one of my favorite and easy to exploit / find bugs, are broken link takeovers.

I have found a few since I started, but all of them were links to nonexistent social media accounts. So nothing really critical here, but it’s always fun to have a big company link customers to your social media account. Some companies even give you a bounty if you report it to them!

I’ve noticed that most of the broken links to social media, happen because companies rename their…

While I was looking at companies to do my internship at, I found a company with a link to an nonexistent Twitter account. I thought it would be original to use this takeover to apply for an internship, and immediately show them that their site has a broken link. So I created the application with a few tweets, and mailed the company to tell them to look at the twitter account linked to on their site.

A few hours later, I noticed the URL on their site was updated, but I never got a reply on my email. I don’t think this company was very happy with my application :).


  • If you apply for a job application via broken link takeover, keep in mind that there is a chance the company wont like your application.


Professional My Little Pony addict

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store