A tweet showing an RCE in ExifTool popped up on my feed; it looked interesting — maybe a little scary. But what good is an RCE on a demo video? I wanted more; I wanted it to pop my calculator.exe, to rm -rf my home directory; heck, it could even Rick Roll me. However, like with all things in life, there was no publicly-available proof-of-concept. So I decided to make my own.

The changelog on ExifTool’s GitHub had the following: Patched security vulnerability in DjVu reader. I searched for “DJVU” on the page and found the patch:

The code that fixes the vulnerability

Using the…

Intigriti releases cool challenges every once in a while, and this was no exception.

I love a good challenge. Every time I solve an Intigriti challenge, I learn something new. Motivated by that, I wanted to crack this one too.

As usual, there were many dead-ends, moments of frustration and head-scratches. However, I’ll save your scalp from the scratching and walk you through this challenge.

The Challenge

Right after the tweet, I opened up the challenge link:

Challenge Description

Getting familiarized

When you open the link, it redirects you to a chat room with a random UUID which is probably the chat room ID.

This writeup has since won the H1–702 challenge. Read HackerOne blog here: https://www.hackerone.com/blog/H1-702-CTF-Winners-Announced

When you open the challenge link, you’re presented with this:

Instructions can be found on the web challenge site:

Open the link in your browser and you’re greeted with a normal-looking HTML page:

It sounds like there is a secret endpoint somewhere that allows you to store notes. The title indicates that it has something to do with RPC.

Considering the previous year’s challenge, I thought they could be hiding it on a different port other than 80. I did a basic nmap port scan:


Amal Murali

Interested in technology.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store