AddOnTrap

This challenge provides an .xpi file, which is a browser add-on extension. Since .xpi files are ZIP archives, we can extract their contents. By analyzing manifest.json and main.js, we can see that the add-on takes an IP address and sends it to ip-api.com. At first glance, nothing appears suspicious.

By digging deeper, we discover another JavaScript file containing a secret key, with a comment indicating that it should have been removed. A quick Google search for Secret key must be 32 url-safe base64-encoded bytes! points us to a Python library implementing Fernet encryption. Using the key and the webhook URL in a Python script, we are then able to retrieve the flag.