terjanq

Busy Traffic | writeup by @terjanq

justCTF 2025

Challenge TL;DR

The challenge consisted of three components: Traefik v3.4.5 proxy, a Simple Cache plugin for Traefik, and an admin bot that adds a flag to local storage on the challenge domain. The intended solution combined cache poisoning and request splitting to build an arbitrary XSS payload from the available assets.

Solution

veekaybee

Anti-hype LLM reading list

Goals: Add links that are reasonable and good explanations of how stuff works. No hype and no vendor content if possible. Practical first-hand accounts of models in prod eagerly sought.

Foundational Concepts

Pre-Transformer Models

payloadartist

# ------Instructions---------
# Install (and configure) subfinder, assetfinder, and httprobe
# go get -v github.com/projectdiscovery/subfinder/cmd/subfinder && go get -v github.com/tomnomnom/httprobe && go get -v github.com/tomnomnom/assetfinder
# cat firefox.sh >> ~/.bashrc 
# source ~/.bashrc 
# Usage - subf_ff target.tld
#         asset_ff target.tld

subf_ff () {
subfinder -d $1 -silent -t 100 | httprobe -c 50 | sort -u | while read line; do firefox $line; sleep 10; done

BlackFan

CVE-2019-8331

Bootstrap < 3.4.1 || < 4.3.1

✔️ CSP strict-dynamic bypass

➖ Requires user interaction

➖ Requires $('[data-toggle="tooltip"]').tooltip();

fuzyll

#!/usr/bin/env bash

# make_ghidra_app.sh | MacOS App Bundle Creator Script
#
# Copyright (c) 2019 Alexander Taylor <ajtaylor@fuzyll.com>
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#