Hacker News new | ask | show | jobs
by Daviey 382 days ago
Well, it's probably just a coincidence, but I literally just spun up a web service that is vulnerable to this: https://isitup.daviey.com/

The code doesn't make any reference to a .netrc, but I happen to have one in ~/.netrc:

  machine localhost
  login *REDACTED*
  password CTF{*REDACTED*}
It's not ideal that requests automatically slurps credentials from ~/.netrc and leaks them, even when my code never references it. It's possible that the netrc is on the same server from a different application, developer debugging environment, or just forgotten about etc.

First one to grab the flag wins, well, nothing. But have fun. I'll keep it online for a couple of weeks, or until the VC money runs out.
2 comments
dgl 382 days ago 

  Sorry, you have been blocked
  You are unable to access daviey.com
Looks like Cloudflare has decided the whole thing is dodgy. Or doesn't like my IP address...
link
Daviey 382 days ago
That's really strange... because it seems to be working for some people (already have the first solve). I can't see an issues in CF...

EDIT: I had the security in CF too robust, try now?

link
progbits 381 days ago
Edit: Comment removed on request of parent.
link
Daviey 381 days ago
Well done for solving it.. but I'd have preferred you had not shared the solution, it's against the spirit of these sorts of things, but I can't stop you. :)

EDIT: I do appreciate you removing the solution. Have a great day.

link