[Teaser CONFidence CTF 2016] RoflScale – Web 100

Admins connected a debug interface to our Roflscale DB. They didn’t bother to secure it with a password, so we put in a proxy instead.

IP: roflscale.hackable.software:4000

The main idea of this challenge is the misconfig between urlparse python and REQUEST_PATH of sinatra ruby, so if we input the payload which can bypass filter ‘dump’ python and pass to ruby web server, we got the flag.

The proxy.py takes the url, unquote and parse it, then checks if the path contains string ‘dump’ -> GTFO, else unparse to newurl and pass it to ruby web server

In ruby web server, if the REQUEST_PATH end with ‘/dump’ it will read the flag for us

After several hours testing, i figured that urlparse has param, but sinatra not!

for example
urlparse:

path= /aaa
params = bbb

sinatra ruby:

path = /aaa;bbb

The only problem now is that REQUEST_PATH requires ‘/dump’ , not ‘dump’, if we put this to urlparse, it will treat ‘/dump’ as path, not params.

Double encode it solved the problem

Our final payload:
http://roflscale.hackable.software:4000/flag.txt;%252fdump

Flag: DrgnS{P4th_p4rAm5_aR3_4W350mE}

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s