tl;dr

• Fuzzing to find the /internal endpoint
• Chaining CVE-2023–24329 and the SSRF in the /okay endpoint to access the internal docker registry host.
• Downloading image blobs using the docker registry API.
• Using CVE-2024-21488 to get RCE on the vec service.
• As the templates directory of the core service is cross-mounted, we can modify the index.html file from vec service to get RCE on the core service.
• Hence we can read the flag from the core service.

tl;dr

• SSRF using file_get_contents() and CRLF in ini_set()
• basic Header quirks to bypass waf
• sqli using column trick in SQLite to get the flag

tl;dr

• /source to get the source
• Access local host from dev_test using SSRF
• SQLI to get the flag path a nd LFI to get the flag

tl;dr

• Part-1: .bzr file retrival using any tool
• Part-1: exploiting ssrf via ffmpeg to read /flag file to a video and download it before it gets deleted

Hey, I am SpyD3r(TarunkantG) and In this blog I will be discussing all the 5 web challenges that I made for InCTFi 2019 and a lot of SQLi and bypassing disable_functions tricks.