원클릭으로
wss-terminal
Use when extracting WSS terminal connection parameters (URL, cookie, protocol type) from browser pages for wss_connect tool usage
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
메뉴
Use when extracting WSS terminal connection parameters (URL, cookie, protocol type) from browser pages for wss_connect tool usage
Codex 또는 Claude로 설치 이 Prompt를 복사해 Codex, Claude 또는 다른 어시스턴트에 붙여 넣으면 Skill 페이지를 검토하고 설치를 진행할 수 있습니다.
SOC 직업 분류 기준
| name | wss-terminal |
| description | Use when extracting WSS terminal connection parameters (URL, cookie, protocol type) from browser pages for wss_connect tool usage |
当页面包含 Web 终端(xterm.js 等)时,按以下步骤提取 WSS 直连参数。
navigate_page 打开目标页面take_snapshot 确认页面存在终端元素(.xterm、.terminal、Terminal input 等)将以下 JS 复制到 evaluate_script 中执行:
() => {
const scripts = Array.from(document.querySelectorAll('script:not([src])'));
let wsScript = null;
for (const s of scripts) {
const t = s.textContent;
if (t.match(/WebSocket|ws:\/\/|wss:\/\/|onData|sendInput/)) {
wsScript = t;
break;
}
}
let wsUrl = null;
if (wsScript) {
const urlMatch = wsScript.match(/["'\x60](wss?:\/\/[^"'\x60]+)["'\x60]/);
if (urlMatch) wsUrl = urlMatch[1];
if (!wsUrl && wsScript.includes('location.host')) {
const pathMatch = wsScript.match(/["'\x60](\/ws\/[^"'\x60]*)["'\x60]/);
if (pathMatch) wsUrl = 'wss://' + location.host + pathMatch[1];
}
}
return {
wsUrl,
hasSendInput: wsScript?.includes('sendInput') || false,
hasBinaryPrefix: wsScript?.includes('CLIENT_CMD') || false,
hasGottyPrefix: wsScript?.match(/['"]1['"].*send/) !== null,
hasXterm: !!document.querySelector('.xterm'),
scriptLength: wsScript?.length || 0
};
}
根据 Step 1 返回值映射:
| 特征 | 协议 |
|---|---|
hasSendInput=true 或 hasBinaryPrefix=true | ttyd |
hasGottyPrefix=true | gotty |
URL 包含 /wetty | wetty |
URL 包含 /api/v1/ + exec | k8s |
| 以上都不匹配 | generic |
evaluate_script(() => document.cookie)list_network_requests 获取同域请求列表get_network_request(reqid=<id>)Cookie 字段值Authorization header(Bearer token 等),用 extra_headers 传递从目标 URL 提取 Origin(scheme://host[:port]):
wss://example.com/ws/shell → origin = "https://example.com"
ws://10.0.0.1:8080/ws → origin = "http://10.0.0.1:8080"
规则:wss 对应 https,ws 对应 http。
wss_connect(
url=<Step1的wsUrl>,
cookie=<Step3a的cookie>,
protocol=<Step2的协议>,
origin=<Step3b的origin>,
extra_headers=<如有Authorization等额外header>,
subprotocols=<如服务器要求特定subprotocol,如["tty"]>
)
如果返回 4001 UNAUTHORIZED 或类似认证失败:
subprotocols(部分 ttyd 服务器要求 ["tty"])window.__wt 方式(参见 additionalContext 中的初始化脚本)如果 Step 1 的探测脚本未找到 WebSocket 代码(高度混淆/打包的 JS),则:
evaluate_script 获取所有 <script src> 的 URLWebFetch 下载 JS bundleWebSocket、ws://、wss:// 关键词Use when facing AI security challenges involving prompt injection, LLM jailbreaks, or AI agent exploitation
Use when facing binary exploitation (PWN) or reverse engineering challenges involving memory corruption, ROP chains, shellcode, binary analysis, decompilation, unpacking, or dynamic tracing
Use when facing cryptography challenges involving cipher analysis, key recovery, mathematical attacks, or protocol weaknesses
Use when transferring files between remote environments and local Docker containers via litterbox.catbox.moe relay or base64 chunked fallback
Use when facing digital forensics or misc challenges involving disk images, memory dumps, network captures, steganography, file format analysis, encoding puzzles, sandbox escapes, or archive manipulation
Use when conducting penetration testing, post-exploitation, lateral movement, domain attacks, cloud exploitation (AWS/GCP/Azure), container escape, or Kubernetes cluster attacks