misc-tor-rible-site (CSAW CTF 2021) writeup

writeup for tor-rible-site challange in CSAW CTF 2021 finals

Posted by 0xMohammed on November 13, 2021 · 1 min read


Hidden deep within the dark web lies the flag you so need.

Author: Stephen Mondiguing, SecurityScorecard

(NOTE: the author used a slightly different flag format. Capitalize FLAG, e.g. FLAG{3x4mpl3_fl4g}, when submitting to CTFd.)


  1. Gobuster
  2. Tor proxy
  3. common wordlist
  4. pdfstreamdumper


We were given an .onion website to examine. Check the website’s source code, and we found an HTML comment which states that there is a hidden folder on the website. sourcecode Now we need to perform a directory bruteforce on the onion website. For that, we need to direct our bruteforce traffic through a tor proxy. First, we need to install tor proxy using the following command sudo apt install -y tor. After we run tor proxy, the output shows that the proxy is a SOCKS that runs on port 9050. sourcecode After running tor proxy properly, we will use gobuster with common.txt wordlist from wfuzz to bruteforce the directories under the onion website. Running gobuster gobuster dir --proxy socks5:// -u http://pmh35xhqgkv52vmzkmdqnkmjzv4zjam25asdirnhykz6s76qfac57pid.onion/ -w common.txt gives us two directories, ‘backups’ and ‘hidden’ sourcecode Browsing the backups folder, we found two files, ‘alice.jpg’ and ‘lookharder.pdf’. sourcecode Checking the strings of the two files, we found a flag.txt in the pdf file. sourcecode Loading the pdf file in pdfstreamdumper, we found the flag in one of the pdf streams. sourcecode