A tweet showing an RCE in ExifTool popped up on my feed; it looked interesting — maybe a little scary. But what good is an RCE on a demo video? I wanted more; I wanted it to pop my calculator.exe, to rm -rf my home directory; heck, it could even Rick Roll me. However, like with all things in life, there was no publicly-available proof-of-concept. So I decided to make my own....

Intigriti releases cool challenges every once in a while, and this was no exception. I love a good challenge. Every time I solve an Intigriti challenge, I learn something new. Motivated by that, I wanted to crack this one too. As usual, there were many dead-ends, moments of frustration and head-scratches. However, I’ll save your scalp from the scratching and walk you through this challenge. The Challenge Right after the tweet, I opened up the challenge link:...

This writeup has since won the H1–702 challenge. Read HackerOne blog here: https://www.hackerone.com/blog/H1-702-CTF-Winners-Announced When you open the challenge link, you’re presented with this: Instructions can be found on the web challenge site: http://159.203.178.9/ Open the link in your browser and you’re greeted with a normal-looking HTML page: Notes RPC CTF homepage It sounds like there is a secret endpoint somewhere that allows you to store notes. The title indicates that it has something to do with RPC....

Challenge Description Cat Chat app popup Getting familiarized When you open the link, it redirects you to a chat room with a random UUID which is probably the chat room ID. Challenge homepage This looks like a chat application built with NodeJS where anyone can join and chat with each other. If you use /name bob, your display name gets changed to that. If you type /report, an admin will join the room for a few seconds....