I accidentally pasted the secret, but I deleted it right away, so it's fine!
Beginner Hint: About the Admin Bot (AI-translated)
- In this challenge, an Admin Bot is provided separately from the main web application.
- The Admin Bot copies the flag to its clipboard, then opens the specified path in Headless Chrome.
- After that, it pastes the clipboard content into
#input, immediately deletes it, and types another string. - Therefore, your goal is to make the Admin Bot visit your payload and send the pasted content to an external endpoint.
- You can either host your own receiver or use an existing service that lets you inspect incoming HTTP requests.
- What you give to the Admin Bot is not the full URL, but the path after the URL prefix shown on the page.
- If you want to learn more about the Admin Bot, see https://github.com/alpacahack/web-admin-bot as well.
(automatically translated from Japanese)