# FluxCloud Serverless

 

```txt
To host stuff like our website, we developed our own cloud because we do not trust the big evil corporations! Of course we use cutting edge technologies, like serverless. Since we know what we are doing, it is totally unhackable. If you want to try, you can check out the demo and if you can access the secret, you will even get a reward :)

Note: This version of the challenge contains a bypass that has been fixed in FluxCloud Serverless 2.0.

https://serverless.cloud.flu.xxx
```

---

We started looking at the Source Code

In waf.js you will see the Firewall's checks and notice, that it checks for `flag` in the URL, which it then redirects to the `/blocked` content.

In app.js you can see a `/flag` Route, which should display the `FLAG` but since the Firewall checks for that, we are not coming that far.

However, since the Firewall only checks for lowercase `flag` we can simply use another variation of the word and for example the route `/fLag` or `/Flag` etc.

flag{ca$h_ov3rfl0w}

Original writeup (https://github.com/B34nB01z/writeups/tree/master/2020/hack.lu/FluxCloud%20Serverless).