I recently purchased this monitor from faceb00c marketplace. It is displaying a static noise signal that appears to be frozen. Can you help me figure out what’s going on? Note: DOS is not required to complete the challenge. Website: http://pov.challs.ulisse.ovh:8888
🎯 Challenge Files & Infrastructure
Provided Files
1
Files:None
🔍 Initial Analysis
First Steps
Initially, the site appears as follows:
Site Presentation
inspecting the page source, I found the /api/stream endpoint, but while analyzing the requests made, I found a strange header with a filename field set to image55.png:
Stream 1
refreshing the page, I noticed that the filename changed on the next request:
Stream 2
as we can see in this case it’s image4.png. The first thing I thought was to collect all the images since we’re told there are a total of 59/60 images depending on whether the index starts from zero or not, and create a gif to generate the full “stream”. But this solution was not the right one. Let’s move on to the next phase.
🎯 Solution Path
Exploitation Steps
Initial setup
I then thought of performing an overlay of the images, since I noticed by refreshing that the arrangement of the black dots actually changed, so maybe by overlapping them they would form the flag.
Exploitation
To do this, I wrote a Python script, since it reminded me a lot of a challenge I had seen in the past. Once the script was executed and after collecting several frames, I formed the flag and got the first blood.
Flag capture
Manual Flag
🛠️ Exploitation Process
Approach
The automatic exploit captures and saves the frames by making requests to the /api/stream endpoint, then using the Pillow library it saves the progress every 5 frames obtained and overlays them, forming the final flag once all frames have been collected. Meanwhile, every 5 frames it generates the image, which becomes clear by the 3rd or 4th iteration.
