Hexpresso FIC Quals 2019: Step 6

Published December 20, 2019 • 2 minutes read

The sixth step is a WEB application that allows us to fetch an URL.


In the source code of the page we can read:

    <!-- <span>PS: To get your flag go here: <a href="/secret">/secret</a></span> -->

So, our objective is to access /secret. Let's see:


Coming from should not be a big deal using the URL fetcher itself, right? This challenge really looks like a standard SSRF anyways...

Not so easy

Note: we must add a GET parameter because the script appends :80/ at the end of the URL. We could deal with it but its more convenient to totally absorb it.

It seems that is reachable. We should now be coming from but there is something else. We are missing the GOSESSION cookie.

I tried to trick the applicaion for some time but the problem is clear: we have to control the body of the query that the URL fetcher performs in order to add the cookie.

At this point, I was very sad and did not know what to do. I was about to give up when my teammate Plean sent me this link.

CVE-2019-9741 is a CRFL injection, in the net/http package of Go (version 1.11). It is exactly what we need as it allows to write the body of the query.

I tweaked the example payload of the GitHub (see the link above) issue and came up with this:

A bit more readble: HTTP/1.1\r
Cookie: GOSESSION=abc

The original body will still be present, after ours, but it does not matter.

Because we have to deal with CRLFs, it is easier to urlencode the payload. However, the URL fetcher interface does not handle it well. We can use curl instead:

Final command:

$ curl '' | jq -r ".content" | base64 -D
{"ok":true,"message":"Ok here is your flag ...","flag":"Gg ! Send mail here ! But there is one last step here for the brave available on :"}

I took a break at this point but my teammate Shiro continued on step 7. Please, take a look at his writeup.

← Back to the index