Firebird CTF 2024 Write Up - infantwaf

Challenge Summary

infantwaf is a web challenge by hollow and mystiz. We are given a Python proxy to access a 'protected' PHP backend http://infantwaf.backend which will give us the flag if URL param giveme=flag is set. Yet, the proxy will reject GET requests that contains the string flag in the requests URL:

@app.route('/', methods=['GET'])
def proxy():
    q = request.args.get('giveme')
    if q is not None:
        if q != 'proxy':
            return '🈲'
        elif 'flag' in request.query_string.decode():
            return '🚩'
        else:
            return get(f'{upstream}/?{request.query_string.decode()}').content

Solution

The proxy only checks if string literal flag is inside the query string. We can bypass this by representing flag with a different method. For example, encoding the character f with %66. In this case 'flag' in request.query_string.decode() will evaluate to false and our request is forwarded to the backend.

What is more, if we specify giveme twice, Python will use the first value while PHP will use the second value. Hence, we can craft the payload as follow:

http://ash-chal.firebird.sh:36003?giveme=proxy&giveme=%66lag

Flag 🚩: firebird{1t_1s_def1n1teLy_n0t_4_p4yback_fr0m_secc0n_fin4ls}

Note: The challenge authors own the copyright of the challenge content and such content is excluded from CC BY 4.0 license of this article.