https://z3r0s6.github.io/tags/web/Recent content in Web on z3r0sHugoenSun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/web-nextblog/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/web-nextblog/<h1 id="nextblog---ctf-writeup"> NextBlog - CTF Writeup <a class="heading-link" href="#nextblog---ctf-writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <h2 id="challenge-info"> Challenge Info <a class="heading-link" href="#challenge-info"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li><strong>Name:</strong> NextBlog</li> <li><strong>URL:</strong> <code>https://cyctf-luxor-cbaff7649acb-nextblog-0-0.chals.io</code></li> <li><strong>Category:</strong> Web</li> <li><strong>Flag:</strong> <code>CyCTF{F7oXj5sHY4xfvfrIo2x2pkbr4eIVEW3DoYSQe1WHsx_iffn39-InchEsJKhkGtnfg8VA60x6WfCvKRQjmHzftiAxx1TvnXF8FA}</code></li> </ul> <h2 id="overview"> Overview <a class="heading-link" href="#overview"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>A Next.js 16 blog application with a hidden flag server running on <code>localhost:3001</code>. The goal is to exploit a Server-Side Request Forgery (SSRF) vulnerability in a server action to reach the internal flag server.</p>https://z3r0s6.github.io/challenges/web-resizer/Sun, 10 May 2026 00:00:00 +0000https://z3r0s6.github.io/challenges/web-resizer/<h1 id="resizer-writeup"> Resizer Writeup <a class="heading-link" href="#resizer-writeup"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h1> <h2 id="challenge"> Challenge <a class="heading-link" href="#challenge"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <ul> <li>Name: <code>Resizer</code></li> <li>Category: <code>Web</code></li> <li>Target: <code>http://154.57.164.66:30462</code></li> </ul> <h2 id="tldr"> TL;DR <a class="heading-link" href="#tldr"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>The core bug is an <strong>arbitrary file write through path traversal</strong> in the upload filename:</p> <div class="highlight"><pre tabindex="0" style="color:#e6edf3;background-color:#0d1117;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-python" data-lang="python"><span style="display:flex;"><span>filename <span style="color:#ff7b72;font-weight:bold">=</span> file<span style="color:#ff7b72;font-weight:bold">.</span>filename </span></span><span style="display:flex;"><span>filepath <span style="color:#ff7b72;font-weight:bold">=</span> os<span style="color:#ff7b72;font-weight:bold">.</span>path<span style="color:#ff7b72;font-weight:bold">.</span>join(app<span style="color:#ff7b72;font-weight:bold">.</span>config[<span style="color:#a5d6ff">&#39;UPLOAD_FOLDER&#39;</span>], filename) </span></span><span style="display:flex;"><span>file<span style="color:#ff7b72;font-weight:bold">.</span>save(filepath) </span></span></code></pre></div><p>Because <code>filename</code> is never sanitized with <code>secure_filename()</code> and <code>os.path.join()</code> does not stop <code>../</code>, we can write files outside <code>uploads/</code>.</p>