ctf-web
ctf-web · v · by
65.1
Trust Score
0
Trust Tier
danger
Badge
Score Breakdown
| Factor | Score | Weight |
|---|---|---|
| Static | 10.0 | 15% |
| Permission | 95.0 | 15% |
| Poison | 0.0 | 15% |
| Clickfix | 100.0 | 15% |
| Credential | 100.0 | 15% |
| Twostage | 100.0 | 10% |
| Infrastructure | 70.0 | 5% |
| Typosquat | 100.0 | 5% |
| Age | 27.8 | 3% |
| Popularity | 0.0 | 2% |
Scan Results
STATIC — Score: 10
[HIGH] Shell command execution
(line 261)
**PHP backtick eval (character limit):** `` echo`cat *`; `` -- PHP backticks = `shell_exec()`, fits RCE in as few as 8 c
[HIGH] Shell command execution
(line 274)
`pickle.loads()` calls `__reduce__()` → `(os.system, ('cmd',))` instant RCE. Also via `yaml.load()`, `torch.load()`, `jo
[HIGH] Obfuscated content using hex escape sequences
(line 432)
Identify via `Next-Action` + `Accept: text/x-component` headers. CVE-2025-55182: fake Flight chunk exploits constructor
PERMISSION — Score: 95
[LOW] Skill appears to use network but declares no permissions
POISON — Score: 0
[HIGH] Fake developer/admin mode activation
(line 47)
- [server-side-advanced.md](server-side-advanced.md) - Advanced server-side techniques: ExifTool CVE-2021-22204, Go rune
[HIGH] Fake developer/admin mode activation
(line 342)
## Flask/Werkzeug Debug Mode
[HIGH] Content contains alarming words not in description: exfiltrate, jailbreak, override
CLICKFIX — Score: 100
No findings.
INFRASTRUCTURE — Score: 70
[HIGH] Direct IP URL with no domain (likely C2 server)
(line 376)
`<a rel="attachment" href="file:///flag.txt">` or `<link rel="attachment" href="http://127.0.0.1/admin">` -- WeasyPrint
TWOSTAGE — Score: 100
No findings.
CREDENTIAL — Score: 100
No findings.
TYPOSQUAT — Score: 100
No findings.