The H1-212 CTF Writeup

It was nice experience so let’s have a look how I cracked H1-212 CTF?

I was reading about H1-212 on hackerone.com/blog and got to know about server IP and host. I found that you can’t browse the host so I thought why not try to use acme.org as host as it was already hosted on the same server.

As you can see in figure above acme.org launched a new server for the admin panel that mean admin.acme.org to verify the host i decided try to get the subdomain of the host by using the script Ruby scan.rb --ip= --host=acme.org

made by Mr. Jober Abama.

So in response I got the cookie which says set-cookie: admin=no which is a hint indicating to play with cookie.

* Let’s set cookie with admin=yes

* Next I found that the response says that the method was not allowed and the method was changed to POST and I got the next hint.

* In response is change to the POST method I got 406 Not acceptable hmmm……..

* I played next with the content-type and finally found that content-type: application/json works and got the response 418 I’m a teapot as shown in the figure.


* Kindly Notice the error {“error”:{“body”:”unable to decode”}} in figure 4 which was the response I got. From this response I got a hint that JSON data can be used as a payload and I used {“domain”:”google.com”} as a payload.

* Using payload the response says {“error”:{“domain”:”incorrect value, .com domain expected”}} then I decided to bypass the ssrf so tried test.google.com

* I found that after trying test.google.com I got error message {“error”:{“domain”:”incorrect value, sub domain should contain 212″}} shown in fig 6 there is condition we need to use 212 in subdomain. After many attempts I was not able to bypass then I read more about ssrf bypass on orange tsai ppt. found some payload and after that my final payload was 212.\nlocalhost:80/flag\n.com. Here you can check the response which will create and ID as shown in fig 7.

* In the ID created in fig 7 we need to read the data is obtain the next hint so we used the GET method. In response to GET method we got Base 64 data. After decoding the Base 64 I got to know that payload was now working

* After reading this decoded list I decided to look for the port and finally found 1337 port which was often as useful as link.

* I sent the request and in response got this {“next”:”\/read.php?id=120″}. The next step was to read the Id=120, so used new GET request to read it and found nothing. Try digging deeper I came to know that alternate number was missing and worked on the missing alternate number where is found the flag in Base 64

Thanks for reading!!