⏰ It's CHALLENGE O'CLOCK!— INTIGRITI (@intigriti) June 19, 2023
👉 Find the FLAG before Tuesday June the 27th!
👉 Win €300 in SWAG prizes!
👉 We'll release a tip for every 100 likes on this tweet!
Thanks @0xGodson_ for the challenge! 👇https://t.co/FA04W3xCZO
The lazy way (kind of cheating ;))⌗
When I saw this challenge, the intigriti team had already posted a hint.
100 likes, time for the first hint! 😏 pic.twitter.com/fz9blGvpdR— INTIGRITI (@intigriti) June 19, 2023
This makes it pretty obvious that the challenge is finding a prototype pollution and exploiting it to cause XSS. So, I visited this awesome cheat sheet and started blindly copy pasting the payloads and to my surprise one worked!
String.prototype is the shared object from which all string instances inherit properties and methods.
By modifying or extending
jquery-2.2.4.js file, you can see the code responsible for this on line