LogoLogo
  • About
  • BYUCTF 2025
    • PWN
    • WEB
Powered by GitBook
LogoLogo

TheHiddenCastle

On this page
Export as PDF
  1. BYUCTF 2025

WEB

PreviousPWN

Last updated 10 days ago

Wembsoncket

Wembsoncket is a WebSocket-based chat interface that allows you to supply any URL for the “URL Bot” (a headless Puppeteer instance) to visit. Unbeknownst to users, this headless browser is already authenticated as the admin—the bot has been seeded with an httpOnly, Secure; SameSite=None JWT cookie for the admin account. That means any page it loads can invisibly carry that session into further requests.

Host a minimal HTML page that:

  1. Opens a secure WebSocket to the challenge server.

  2. Sends the /getFlag command upon connection.

  3. Forwards any incoming message (the flag) to an attacker-controlled endpoint.

GitHub raw Gists default to Content-Type: text/plain, so browsers won’t execute the <script>. Two easy fixes:

This proxy adds Content-Type: text/html and is lightning-fast (<10 s).

Send that URL to the challenge:

Observe your webhook’s incoming GET request:

FLAG byuctf{CSWSH_1s_a_b1g_acr0nym}

Challenge files

<USER>/<GIST-ID>/raw/leak.html

https://gistcdn.githack.com/
BYUCTF-2025/web/wembsoncket at main · BYU-CSA/BYUCTF-2025GitHub
Logo