I took a few hours to create a simple HTML/CSS previewer system. Since there’s no way to add JavaScript then my server should be safe, right? Grab the flag from the http://chals.swampctf.com:47821/flag.txt file on the server to show that this isn’t the case. The flag is in the standard format. Good luck! http://chals.swampctf.com:47821
Since I didn’t find anything interesting here, I moved on to analyzing the attached files. This is a Flask challenge where we need to access the /flag.txt route. Direct access results in a Forbidden response:
1
2
3
4
5
6
7
8
9
10
11
12
@app.route("/",defaults={"path":"index.html"})@app.route("/<path:path>")defserve_files(path):ย ย try:ย ย ย ย returnsend_from_directory(app.static_folder,path)ย ย except:ย ย ย ย referer=request.headers.get("Referer","")ย ย ย ย ifnotrefererornot(referer.startswith("http://127.0.0.1:5000/")orreferer.startswith("http://localhost:5000/")):ย ย ย ย ย ย print(referer)ย ย ย ย ย ย abort(403,description="Forbidden: Accessing files directly is not allowed... You didn't think it'd be that easy did you.")ย ย ย ย returnsend_from_directory("/app/",path)
As we can see, if the Referer header is not set to http://127.0.0.1:5000/ or http://localhost:5000/, we receive a 403 status code. Initially, I thought it would be enough to make a request like this:
How is this possible? At first, I thought the challenge was brokenโฆ let’s move on to the next phase to analyze everything more thoroughly.
Exploitation
The first thing I did was import sys to use sys.stdout.flush() and add print() debug statements to understand how the challenge works. However, focusing on the fact that it worked with Host: localhost:5000 and Referer: http://localhost:5000/, I tried the same approach for the remote challenge by sending a request with identical Host and Referer headers:
