[ictf Feb 2021] My challenges

Two of my submitted challenges were used for ictf round 7. Both of them web challenges. A brief overview of the challenges can be found in this post, the relevant files are available here.

Pathological liars (2021-02-21)

Description

If at once you don’t solve a challenge, ask your parents to solve for you :D

Provided

• A link to a running version of the website, serving its own source code with access to the flag

Solution

A simple path traversal, trying to highlight a directory gives us a directory listing. Traversing up the directory tree, we see flag.txt in the listing of the parent directory, so we can just highlight that. ?highlight=../flag.txt

Simple Server Real Fun (2021-02-22)

Description

Check out my new Redirect as a Service website!

Provided

• A link to the website, highlighting its own source code, with access to flag.txt

Solution

In general, we’ve got an ssrf vulnerability, with some filtering we need to bypass (we can’t immediately inject 127.0.0.1 or localhost).

We have 2 alternative solutions:

• Make the ssrf to a website you control serving a redirect to http://localhost:5000/flag
• Bypass the localhost checks by using alternative IP encodings (as a single integer for example) or alternative IPs (like 0.0.0.0), bypass the flag check through a double url encoding (e.g. fl%2561g for flag).