Firebird CTF 2024 Write Up - infantwaf
Challenge Summary
infantwaf is a web challenge by hollow and mystiz. We are given a Python proxy to access a 'protected' PHP backend http://infantwaf.backend
which will give us the flag if URL param giveme=flag
is set. Yet, the proxy will reject GET requests that contains the string flag in the requests URL:
@app.route('/', methods=['GET'])
def proxy():
q = request.args.get('giveme')
if q is not None:
if q != 'proxy':
return '🈲'
elif 'flag' in request.query_string.decode():
return '🚩'
else:
return get(f'{upstream}/?{request.query_string.decode()}').content
Solution
The proxy only checks if string literal flag
is inside the query string. We can bypass this by representing flag
with a different method. For example, encoding the character f
with %66
. In this case 'flag' in request.query_string.decode()
will evaluate to false
and our request is forwarded to the backend.
What is more, if we specify giveme
twice, Python will use the first value while PHP will use the second value. Hence, we can craft the payload as follow:
http://ash-chal.firebird.sh:36003?giveme=proxy&giveme=%66lag
Flag 🚩: firebird{1t_1s_def1n1teLy_n0t_4_p4yback_fr0m_secc0n_fin4ls}
Note: The challenge authors own the copyright of the challenge content and such content is excluded from CC BY 4.0 license of this article.