CTF Writeup - Flags - 35C3 Junior CTF

A write-up for one of the first web challenges in the 35C3 Junior CTF.

This was the tip:

Fun with flags: http://35.207.169.47 Flag is at /flag

When we land on the page we get to see the PHP code running in the back-end:

Looking at this PHP code we see that it’s considering our browser language as a variable lang and using it to navigate to the respective path to get the country’s flag.

Since the tip says that the challenge’s flag is located in /flag we have to find a way to manipulate our request to trick hte page into thinking that our language is something else: a payload we are going to craft.

I opened BURP Suite with the repeater tool to craft this malicious request.

The first thought would be just replacing the language in the request with ‘../flag’ but in we can see in the php code that they are protecting against this by replacing ‘../’ with ‘’, meaning they are deleting ‘../’.

So we just have to figure out a way to bypass this measure.

What I did was just repeating it and adding each of the characters in ‘../’ after it.

‘…/…/..//flag/’ should, after deletion, output ‘../flag/’ Repeat it a bunch of times to go back on a lot of directories (we don’t know how much until we get to ~/flag

The final maliciously crafted request should look like this:

GET / HTTP/1.1
Host: 35.207.169.47
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:64.0) Gecko/20100101 Firefox/64.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: .../.../..//.../.../..//.../.../..//.../.../..//flag
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

The raw return from this request is:

<img src="data:image/jpeg;base64,MzVjM190aGlzX2ZsYWdfaXNfdGhlX2JlNXRfZmw0Zwo=">

Decode the base64 and you get the flag:

35c3_this_flag_is_the_be5t_fl4g