Instant Development Company


Your uncle got scammed but he’s too embarrassed to tell you how much he had lost. Can you find out?

  • Author: Andrix


Opening up the site we aren’t presented with too many options, so we head to the /review endpoint through the link on the main page. Its vulnerable to XSS but other than that, I could not find anything interesting. I decided to go back to the roots, and started running dirbuster on the site, and it quickly found a hidden endpoint: /debug.

On there we have bunch of options, but downloading source seems like a good place to start. After acquiring the source files we are presented with:


Reading through the files, we can see some comments inside the debug.html file, which indicate, that a file with an easy to break password is accessible from the webroot. We can download the mentioned file using a small python script:

import requests

r ="", data = {'template': '../'}, verify = False)
with open('', 'wb') as f:

From here we are required to crack the password. To do this, we first extract the password hash, then we can use hashcat to crack it.

zip2john > backup.hash
# remove unnecessary content from backup.hash
# or else hashcat will throw errors

# -a brute -m hashtype = PKZIP (Compressed Multi-File) file format
hashcat -a 3 -m 17220 backup.hash ?d?d?d?d?d?d?d?d?d?d

Once hashcat crunched all the possibilities, we can unzip the previously extracted zipfile. It contains two files:


The README contains some sort of clue/meme, but the contracts.txt is the file we are looking for. It contains a bunch of, already expired S3 links.

At this point I got lucky, and solved the challenge by accident using python (I realized if I use curl, the links remain accessible, and I can read the contents, probably due to some AWS missconfiguration):

import os

with open("contracts.txt", 'r') as f:
	for line in f.readlines():
		r = os.system(f'curl {line}')

After the solve, I contacted Andrix, who gave the explaination: If you forgo the parameters given to the http request (the stuff after the ? in the URL) you can abuse the AWS S3 missconfiguration.

The acquired flag is:


← Back to SecChallenge22

all tags