Unreachable

From the challenge hint, we know that its CVE-2024-38473.

Doign a quick research, we will find an article by Orange Tsai regarding confusion attack.

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!Orange Tsai

Following the POC, we are able to leak the cgio-bin/admin.cgi source code.

curl http://unreachable.hexnova.quest/html/usr/lib/cgi-bin/admin.cgi%3F

From here my team got stucked for very long. We tried enumerating the file system, fuzzing the s3 buckets, trying to leak files/different versions of the s3 buckets to no avail.

It was until the end of the CTF someone shared that it is steganography 🤦‍♂️

PreviousPipeline Drift NextIncident Responder

Last updated 6 months ago