Orange v1 – Web – CSAW17

Orange v1 – Web – CSAW17

This is one of the web challenge of CSAW17 event.

I wrote a little proxy program in NodeJS for my poems folder.

Everyone wants to read flag.txt but I like it too much to share.

http://web.chal.csaw.io:7311/?path=orange.txt

Looks like we have to find a LFI (Local File Inlcusion), we were able to get the index of the folder poems at the url http://web.chal.csaw.io:7311/?path=

So flag.txt here, it must be in parent folder, but each time we try to put .. in path parameters we got

WHOA THATS BANNED!!!!

So the idea was encoding, we used this tool http://2tap.com/javascript-percent-encoder/ to encode .., we try with :

http://web.chal.csaw.io:7311/?path=%2e%2e/flag.txt

But get the same error, but % seems not trigger the error, so we tried with double encoding %25%32%65%25%32%65 :

http://web.chal.csaw.io:7311/?path=%25%32%65%25%32%65/flag.txt

And we get the flag : flag{thank_you_based_orange_for_this_ctf_challenge}

Leave a Reply

Your email address will not be published. Required fields are marked *