Orange v1 – Web – CSAW17

Orange v1 – Web – CSAW17

This is one of the web challenge of CSAW17 event.

I wrote a little proxy program in NodeJS for my poems folder.

Everyone wants to read flag.txt but I like it too much to share.

Looks like we have to find a LFI (Local File Inlcusion), we were able to get the index of the folder poems at the url

So flag.txt here, it must be in parent folder, but each time we try to put .. in path parameters we got


So the idea was encoding, we used this tool to encode .., we try with :

But get the same error, but % seems not trigger the error, so we tried with double encoding %25%32%65%25%32%65 :

And we get the flag : flag{thank_you_based_orange_for_this_ctf_challenge}