# SpookTastic

## OVERVIEW

---

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759505751672/d4fa5fa6-376c-49e8-bfd2-61bdde92b47c.png align="center")

So we were given instance and a file to download so let’s do it and checkout the website and the content of the file we downloaded

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759505913528/c79014fa-f93a-420f-8119-f7a131fb913a.png align="center")

Since most of the buttons are just not useful we see a newsletter functionality

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759507206404/0c1ec991-5d21-4bab-8c1c-ae30d0b1478e.png align="center")

Its accepting the mail but it is the only thing that is working in this site so let’s check out the contents of the downloaded file:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759507873277/d5473621-6d72-45f4-8e5b-1bfffca51c2e.png align="center")

In **bot.html** file There is a **Stored Cross-Site Scripting (XSS)** vulnerability. A user-supplied data is stored and later rendered unescaped into HTML with `|safe`, enabling persistent script execution for any user/bot that views the page

The template uses `{{ email|safe }}`, which tells Jinja2 to render the value without escaping HTML. That allows injected HTML/JS to be preserved and executed by any browser that renders the template.

A headless browser (bot) that visits the page and captures `alert()` output.

So Let’s try the below XSS payload to trigger this alert output through newsletter functionality.

```xml
<img src=x onerror="alert(document.body.innerText)">
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759508297740/b4c5e02f-2192-4835-b3b1-b25ebd80db58.png align="center")

Now let’s check it by submitting it:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759508380186/d5d88938-e0a2-49bd-b2a4-b720ca275575.png align="center")

Its got successfully executed

So now again click on ok button and it will result in flag because When this payload was stored as an email entry and the bot later visited the `/bot` view, the image triggered an `onerror` event and executed the `alert(...)`. The below alert box shown by the bot contained the challenge flag:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759508675722/49075229-ecc1-4df9-af76-4f281a9c6da0.png align="center")

## **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1759508732636/720a5855-9e46-49d2-a3b6-d6caa60f193a.png align="center")

For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](http://reapsec.com/)

**THANKS FOR READING !!!**