fast-hook

Unbreakable Romania 2025

fast-hook - Unbreakable

Info	Details
Category	MISC
Difficulty	Easy

Challenge Overview

This challenge is a MISC one so we're given a server which we should connect using NC.

But we can also connect on the browser and see this message:

Enter a URL (must start with https://cyber-edu.co): Invalid URL. Must start with https://https://cyber-edu.co

Using @, I managed to find that there is a Server Side Requst Forgery Vulnerability. The site that I tried to be redirected to was google.com, so I entered http://35.246.235.150:31336@google.com and worked. That means the server create a request to google.com and possibly sending some useful information.

Using nc I connected to the server and get the same message: Invalid URL. Must start with https://cyber-edu.co

So I tried different payloads to make the server create a request to my webhook. (webhook.site) Note: Webhook is a URL provided by a service that automatically receives HTTP requests (usually POST) when an event happens.

Appearently, the script blocks the "@" sign because we get this message when we try to redirect it to our webhook

@ should be bypassed

After some tries I realized that the solution to bypass it was to add a space before "@", like that.

status 200 :)

We get the status code 200, and it indeed sent the flag to the webhook.

final flag

Final Flag

ctf{75421c31eee55eafbf2d1f34fcfd60c2ab3b203f95633ab4d520b524c8532ad0}

made by k0d