Finnaly completed it too. I got no clue how that is an Easy level, unless im missing something crucial
This oneās kicking my rear. I have an idea of what I should be trying to do (I think,) I just donāt know how to actually do it.
Update: Got the flag! I learned about an EXCESSively cool type of attack and techniques I hadnāt seen before on the way. I concur with kavigihan; once Iād read up on the vulnerability class, exploitation was super straightforward but I sunk two days into this challenge fumbling around before that.
1 Like
Hello,
I had some trouble with the docker provided with this chall. There is a missing lib so puppeteer wonāt work and the form to submit url wonāt work either 
I had to
$ apt-get install libxshmfence1
in the docker to get everything wokring properly.
Or you can fix it in the Dockerfile.
The version of puppeteer is outdated and I got this error when I tried to launch puppeteer in the docker
/app/node_modules/puppeteer/lib/cjs/puppeteer/node/BrowserRunner.js:197
reject(new Error([
^
Error: Failed to launch the browser process!
/app/node_modules/puppeteer/.local-chromium/linux-901912/chrome-linux/chrome: error while loading shared libraries: libxshmfence.so.1: cannot open shared object file: No such file or directory
Hope it helps
Nice chall btw
Is it possible to solve this challenge without hosting my own web page?
If you have a router and can configure it, you can use port forwarding to send traffic to a specific port and host a webpage with python -m http.server.
any hints for obtaining the web flag
1 Like
Iāve been looking at this for some hours, poked at the only obvious vector.
I can do one thing and another thing, but failed when I tried to chain them together. I saw many people here talking about CORS but Iām not sure if thatās applicable in that case - if I can do them individually then why canāt I do them combined? Any help would be appreciated.
P.S. Iām not sure if the docker image has changed, but I have to manually add libxshmfence1 libglu1 to the list of packages installed for puppeteer to work.
Do I have to pay the for pro version to solve this challenge?
There is a landing page and puppeteer actually needs to click it
no, ngrok is just a tunnel, to host a page or get requests or anything I just use the python simple http server.
so use ngrok to tunnel traffic to say port 8080, then use āpython -m http.server 8080ā and then any traffic that goes to the link ngrok gives you is directed to your http server
i dont get itā¦ i used ngrok so redirect to my local environment, and then when i put the ngrok url in the submit i dont receive any http request from the page. BUT when i used a webhook recently created i received a http request.
Iām doing something wrong , or the ngrok does not apply for this challenge ?
Any help will be apreciated.
Thanks!
Since some time in the past, ngrok will display a landing page before loading any content from user as a misuse prevention measure. Thatās documented on their website. This means that it cannot be used to solve this challenge unless you pay.
I can accept DMs.
2 Likes
Might be good to report as challenge feedback and set as a disclaimer when attempting the challenge, localtunnel also has the same issue. Although if there any workaround for the solution it would be good to know.
1 Like
Tunnelmole is a good alternative to ngrok, simple usage and itās working with this challenge.
This one is not really easy, the difficulty difference between easy challenges are insane.
2 Likes
Indeed Tunnelmole works. Thanks for the tip 
, although youāre also right that this challenge is not quite easy, I will rank it a mid level (even hard) if you donāt have good understanding of web.
Finally , i got the flag ,this sheeeyt not easy at all ,dunno why they rank it as an easy challenge LOL
use ngrok with hosted webpage on apache2/nginx or u can simply use python3 web server ,all works fine to me
I use PipeDream free tier for all these sorts of āI need an external hostā thing and they work great. You can send arbitrary payloads back against arbitrary URLs and even do logic.