A tweet showing an RCE in ExifTool popped up on my feed; it looked interesting — maybe a little scary. But what good is an RCE on a demo video? I wanted more; I wanted it to pop my calculator.exe, to rm -rf my home directory; heck, it could even Rick Roll me. However, like with all things in life, there was no publicly-available proof-of-concept. So I decided to make my own.
The changelog on ExifTool’s GitHub had the following:
Patched security vulnerability in DjVu reader. I searched for “DJVU” on the page and found the patch:
Intigriti releases cool challenges every once in a while, and this was no exception.
I love a good challenge. Every time I solve an Intigriti challenge, I learn something new. Motivated by that, I wanted to crack this one too.
As usual, there were many dead-ends, moments of frustration and head-scratches. However, I’ll save your scalp from the scratching and walk you through this challenge.
Right after the tweet, I opened up the challenge link:
When you open the link, it redirects you to a chat room with a random UUID which is probably the chat room ID.
This writeup has since won the H1–702 challenge. Read HackerOne blog here: https://www.hackerone.com/blog/H1-702-CTF-Winners-Announced
When you open the challenge link, you’re presented with this:
Instructions can be found on the web challenge site: http://126.96.36.199/
Open the link in your browser and you’re greeted with a normal-looking HTML page:
It sounds like there is a secret endpoint somewhere that allows you to store notes. The title indicates that it has something to do with RPC.
Considering the previous year’s challenge, I thought they could be hiding it on a different port other than 80. I did a basic nmap port scan:
Interested in technology.