V2.fams.cc ❲Trusted ✓❳

"download": "http://v2.fams.cc/download/7a9c3d", "used_key": "8c3c5d1e2f4a6b7c9d0e1f2a3b4c5d6e"

#!/usr/bin/env python3 import sys, hashlib, binascii from Crypto.Cipher import AES v2.fams.cc

/var/www/internal/ ├─ index.html ├─ secret/ │ └─ flag.txt └─ uploads/ The flag file ( /var/www/internal/secret/flag.txt ) contains the flag in plain text. Because the external interface can reach http://127.0.0.1:8000/secret/flag.txt via SSRF, we can ask the service to encrypt that file and then decrypt it ourselves. url = http://127.0.0.1:8000/secret/flag.txt key = any‑string (e.g., "ssrf") Submit: "download": "http://v2

At first glance the service looks harmless, but a closer look reveals three exploitable weaknesses that can be chained together: v2.fams.cc