Upon opening the link: http://13.59.2.198:5588, an input field saying Find hidden element (URL) is shown. As it asks for a URL, I tried entering http://google.com to see what sort of result is returned.

It can be seen that whatever field in the source code has the string hidden in it, is displayed. This gives us a clue about what can be happening at the back-end; they might be using file_get_contents() or a similar function to read the URL’s source code, and then filtering lines based on the string hidden. SSRF can be the way to go!

Before proceeding further, I decided to look around the source code of the website. There was a lot of Obfuscated JavaScript code that attracted my attention. There was also a fishy anchor tag: <a href='/var/www/html/flag.txt' hidden>-_-</a>, I tried appending various combinations like ['flag.txt','../flag.txt’ ...]in the URL, but got nothing out of it.

Then I decided to analyze the Obfuscated JS Code. Using http://jsnice.org/, I “un”obfuscated the first JS code snippet to obtain:

'use strict';
/** @type {!Array} */
var _0x3bc3 = ["main_form", "getElementById", "input", "createElement", "name", "expression", "setAttribute", "type", "text", "placeholder", "/<[^<>]{1,}hidden[^<>]{1,}>/"];
var _frss = document[_0x3bc3[1]](_0x3bc3[0]);
var _xEger = document[_0x3bc3[3]](_0x3bc3[2]);
_xEger[_0x3bc3[6]](_0x3bc3[4], _0x3bc3[5]);
_xEger[_0x3bc3[6]](_0x3bc3[7], _0x3bc3[8]);
_xEger[_0x3bc3[6]](_0x3bc3[9], _0x3bc3[10]);

The two variables in this code stood for ssrf and regex in reverse! That gave me some confidence over my guess of SSRF!

On analyzing this code further, the _xEger variable basically creates another input element with the name expression and sets it’s value as a regex: <[^<>]{1,}hidden[^<>]{1,}>. This basically matches any line of this form: < some_text hidden some_text >

What would happen if we change this expression in the GET request?

I tried the URL with the regex .* which would print everything out for me: http://13.59.2.198:5588/index.php?target=http%3A%2F%2Fgoogle.com&expression=.*, but got nothing. Then it struck me; The question text says my website is not so /secure/. This can refer to the regex syntax we have to use!

Then I tried the new URL: http://13.59.2.198:5588/index.php?target=http%3A%2F%2Fgoogle.com&expression=/.*/. Voila! the entire source code of http://google.comwas shown!

Now, I got back to my lead on SSRF. I tried using the file:// protocol in the target field, hoping that I would get a valid response. I tried accessing the /etc/passwd file first; http://13.59.2.198:5588/index.php?target=file:///etc/passwd&expression=/.*/. To my surprise, I was presented with the passwd file!

Now all I had to do was find the location of the flag. Remember how there was a fishy anchor tag that we found in the source code? It was time to try that location out: http://13.59.2.198:5588/index.php?target=file:///var/www/html/flag.txt&expression=/.*/

Voila! the flag was: noxCTF{/[h1DD3N]*[55Rf]*[r393X]*/} 🙂