Damjan Cvetko

Damjan Cvetko

Developer, System Architect, Hacker.

Xmas CTF 2020 - Day 2

1 minute read

Challenge: Santa’s checklist website for presents he already put in his sleigh keeps crashing. Can you help him find out what the problem is? Url for the website is: https://sleigh.owasp.si

If you open the url in your browser it will do some looping redirects and eventually abort. As always, let’s look at the raw HTTP traffic. CURL or plain old openssl s_client will do:

openssl s_client -servername sleigh.owasp.si -connect sleigh.owasp.si:443
GET /-1 HTTP/1.0
Host: sleigh.owasp.si

We get:

HTTP/1.1 301 Moved Permanently
Date: Fri, 25 Dec 2020 00:05:40 GMT
Content-Type: text/html
Connection: close
Set-Cookie: __cfduid=dcf31317c3753d52c...
Location: https://sleigh.owasp.si/2
X-Forwarded-Code: x
CF-Cache-Status: DYNAMIC
cf-request-id: 0738d036070000fc71360f1000000001
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/rep...
NEL: {"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 606e4fc69b79fc71-ZAG

Ok, that X-Forwarded-Code is strange. Let’s try some numbers. In fact, let’s try all numbers.

$ seq 0 30 | xargs -n1 -I {} curl -D - -s https://sleigh.owasp.si/{} | grep "x-for"
x-forwarded-code: x
x-forwarded-code: m
x-forwarded-code: a
x-forwarded-code: s
x-forwarded-code: {
x-forwarded-code: 7
x-forwarded-code: w
x-forwarded-code: 1
x-forwarded-code: n
x-forwarded-code: k
x-forwarded-code: l
x-forwarded-code: i
x-forwarded-code: n
x-forwarded-code: 9
x-forwarded-code: }
x-forwarded-code: m
x-forwarded-code: m
x-forwarded-code: m
x-forwarded-code: m
x-forwarded-code: m
x-forwarded-code: a
x-forwarded-code: a
x-forwarded-code: a
x-forwarded-code: a
x-forwarded-code: a

Flag: xmas{7w1nklin9}

What did I learn: First look at the raw HTTP…

Recent posts

See more

Categories

About