Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas M...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://0xdf.gitlab.io/flagvent2025/medium
• Blog Title: Flagvent 2025 (Medium) — pink, Santa’s Wishlist, Christmas Metadata, Captured Noise
• Suggested Section: Pentesting Web -> XSS (add a subsection like "DOM XSS via window.name / implicit globals" and optionally "XSS vs Admin Bots/Automation + javascript: scheme") and Generic Methodologies & Resources -> Basic Forensic Methodology / Stego (APNG frame extraction stego; modem/FSK decoding with minimodem; CSS unicode-range hex extraction)

🎯 Content Summary

This post is a set of technical writeups for Flagvent 2025 “medium” challenges. It includes multiple actionable techniques: APNG frame extraction plus pixel-count steganography, DOM XSS via window.name abuse with an admin Playwright bot, hex-in-metadata decoding, and modem/FSK decoding plus CSS unicode-range data extraction.

FV25.05 – “pink” (APNG pixel-count steganography)

• Identify real file type: file reports PNG but ExifTool shows APNG with multiple frames.
• Extract frames: use ffmpeg to ...

🔧 Technical Details

APNG frame-based steganography via pixel-count deltas: If a “PNG” is actually an APNG, confirm via metadata (e.g., ExifTool) and extract frames with ffmpeg -i file.png -vsync 0 frames/frame_%03d.png. Then compute per-frame color histograms (e.g., Pillow img.getcolors()) and interpret a chosen color’s pixel count as data (ASCII via chr(count)) across frames to reconstruct a message.

DOM XSS via implicit global name → window.name: Referencing/assigning to name without let/const/var can bind to window.name. If application logic later consumes name unsafely, an attacker can pre-set the browsing-context name using iframe.name or window.open(url, targetName, ...), enabling script execution in the victim origin.

Admin/bot exploitation pattern (seed secret → visit attacker URL → exfiltrate): ...

🤖 Agent Actions

Updated HackTricks with new stego and XSS techniques from the blog:

• Added implicit-global/window.name DOM XSS abuse and admin-bot/javascript: navigation notes (with exfil payload examples) to pentesting-web/xss-cross-site-scripting/dom-xss.md, plus references.
• Expanded stego/images/README.md with APNG pixel-count extraction workflow (detection, ffmpeg frame dump, Pillow color counting) and references.
• Added FSK/modem decoding workflow using SoX spectrograms and minimodem, with references, to stego/audio/README.md.
• Documented CSS unicode-range byte extraction technique and added references to stego/text/README.md.

All updated files now include a references section citing the source blog.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://0xdf.gitlab.io/flagvent2025/medium

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web -> XSS (add a subsection like "DOM XSS via window.name / implicit globals" and optionally "XSS vs Admin Bots/Automation + javascript: scheme") and Generic Methodologies & Resources -> Basic Forensic Methodology / Stego (APNG frame extraction stego; modem/FSK decoding with minimodem; CSS unicode-range hex extraction)".

Repository Maintenance:

• MD Files Formatting: 936 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0