D-CTF 2025 Quals

Hard challenge with 35 solutions

Web site has a one functionality is tacking a screenshot for provided link:

So after a few time we noticed about blog button which direct to localhost bot:4000

First idea was sent screen request to our webhook which will open an localhost via iframe

And thats working, we took a screenshot of localhost blog

As you can see there is a functionality to post a comment

Our comment was posted and first thing what we tried is to do XSS, but it didn't bring any results.

Next stage was test on SSTI

SSTI is working, so it seemed to be easy, just read the flag

but as it turned out, in order to read flag.txt you need to have root rights

we decided to achieve reverse shell by our ssti payload

so as we got it, we need to do privesc to read flag.txt and after a few hours we did it by cronjob file.sh which executed by root every 10 minutes