ultra-crawl

Description

Here is your favorite proxy for crawling minimal websites.

It took me a while to discover the first vulnerability, but in the end, it was actually quite simple. I was able to access the local filesystem using the default file:// wrapper.

At first, I thought I had solved the challenge, but the classic /home/ctf/flag.txt file didn’t work. So, I started accessing other files, but nothing useful came up. I couldn’t find any logs or source files for the web app, and it was really frustrating because nothing seemed to work. Then I remembered that this was running in a container, so there had to be a bash script to start the app. Sure enough, there was a start.sh file.

Now it was time to check the web application's source code.

import base64
from urllib.request import urlopen
from flask import Flask, render_template, request

app = Flask(__name__)

@app.route('/', methods=['GET', 'POST'])
def index():
    print(request.headers['Host'])
    if request.headers['Host'] == "company.tld":
        flag = open('sir-a-random-folder-for-the-flag/flag.txt').read()
        return flag
    if request.method == 'POST':
        url = request.form.get('url')
        output = urlopen(url).read().decode('utf-8')
        if base64.b64decode("Y3Rmew==").decode('utf-8') in output:
            return "nope! try harder!"
        return output
    else:
        return render_template("index.html")


if __name__ == '__main__':
    app.run(host='0.0.0.0', port=5000, debug=False, threaded=True, use_evalex=False)

All I needed to do was change the Host header to company.tld.