V2.fams.cc May 2026

#!/usr/bin/env python3 import sys, hashlib, binascii from Crypto.Cipher import AES

# 2️⃣ Pull the encrypted blob curl -s "$DOWNLOAD" -o /tmp/enc.bin v2.fams.cc

cipher = AES.new(key, AES.MODE_CBC, iv) pt = cipher.decrypt(ct) Exploiting the SSRF The url parameter is fetched

>>> import hashlib >>> hashlib.md5(b'testkey').hexdigest() '3d2e4c5a9b7d1e3f5a6c7d8e9f0a1b2c' The server also generates a random 16‑byte IV and prefixes it to the ciphertext (standard practice). The download URL returns a that is exactly IV || ciphertext . 4. Exploiting the SSRF The url parameter is fetched server‑side without any allow‑list. The backend runs on a Docker container that also hosts an internal file‑server on port 8000 . The file‑server’s directory tree (found via a quick port scan on the internal IP 127.0.0.1 ) looks like this: ct = data[:16]

# Load encrypted file data = open('enc.bin','rb').read() iv, ct = data[:16], data[16:]