https://cnf409.me/tags/pop_chain/ Recent content in Pop_chain on conflict Hugo en-us <a href="https://creativecommons.org/licenses/by-nc/4.0/" target="_blank" rel="noopener">CC BY-NC 4.0</a> Sat, 11 Apr 2026 00:00:00 +0000 https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/ Sat, 11 Apr 2026 00:00:00 +0000 https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/ <h3 id="table-of-contents">Table of Contents</h3> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#introduction">Introduction</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#tldr">TLDR</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#infrastructure-analysis">Infrastructure Analysis</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#the-symfony-application">The Symfony Application</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#the-flask-application">The Flask Application</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#snuffleupagus-the-bouncer">Snuffleupagus, the Bouncer</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#useful-observations">Useful Observations</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#part-1---reading-the-snuffleupagus-secret">Part 1 - Reading the Snuffleupagus Secret</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#slipping-through-the-htaccess">Slipping Through the .htaccess</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#bypassing-ip_address-with-an-ipv6-zone-id">Bypassing ip_address() with an IPv6 zone ID</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#neutralizing-the-require-ip-header">Neutralizing the &ldquo;Require Ip&rdquo; Header</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#getting-apache-to-leak-the-secret-key">Getting Apache to Leak the Secret Key</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#expr-in-boolean-context-inside-header-set">expr in boolean context inside Header set</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#reading-optdefaultrules-with-filereqpath">Reading /opt/default.rules with file(req(&lsquo;Path&rsquo;))</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#extraction-script-and-results">Extraction Script and Results</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#part-2---escaping-the-cage">Part 2 - Escaping the Cage</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#forging-signed-serialized-cookies">Forging Signed Serialized Cookies</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#snuffleupagus-hmac-format">Snuffleupagus HMAC Format</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#forging-arbitrary-notes-objects">Forging arbitrary Notes objects</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#pop-chain-to-arbitrary-file-inclusion">POP Chain to Arbitrary File Inclusion</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#finding-gadgets">Finding Gadgets</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#building-the-serialized-payload">Building the Serialized Payload</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#smuggling-an-elf-into-the-server">Smuggling an ELF into the Server</a> <ul> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#writing-raw-bytes-via-the-forged-cookie">Writing raw bytes via the forged cookie</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#cookie-size-issues-and-so-minimization">Cookie size issues and .so minimization</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#the-snuffleupagus-incident">The Snuffleupagus Incident</a></li> </ul> </li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#conclusion">Conclusion</a></li> <li><a href="https://cnf409.me/posts/2026/04/fcsc-2026-secure-mood-notes/#additional-scripts">Additional Scripts</a></li> </ul> <h1 id="introduction">Introduction</h1> <p>Secure Mood Notes is a two-part web challenge from FCSC 2026. Both parts share the same infrastructure: a note-taking application where notes have “moods” (angry, chill, normal) that transforms their content. The first flag is hidden inside the Snuffleupagus configuration, and the second one requires full remote code execution on the server.</p>