• Name: Celeste Tunneling Association
  • Difficulty: Easy
  • Points: 40
  • Category: Web




Welcome to the tunnels!! Have fun!

Here’s the source


We are provided with a website along with its source code.


Here is the Source Code:

# run via `uvicorn app:app --port 6000`
import os

SECRET_SITE = b"flag.local"
FLAG = os.environ['FLAG']

async def app(scope, receive, send):
    assert scope['type'] == 'http'

    headers = scope['headers']

    await send({
        'type': 'http.response.start',
        'status': 200,
        'headers': [
            [b'content-type', b'text/plain'],

    # IDK malformed requests or something
    num_hosts = 0
    for name, value in headers:
        if name == b"host":
            num_hosts += 1

    if num_hosts == 1:
        for name, value in headers:
            if name == b"host" and value == SECRET_SITE:
                await send({
                    'type': 'http.response.body',
                    'body': FLAG.encode(),

    await send({
        'type': 'http.response.body',
        'body': b'Welcome to the _tunnel_. Watch your step!!',


By examining the source code, we can observe that the flag is stored as an environment variable and can be accessed if the condition if name == b"host" and value == SECRET_SITE: is satisfied.

To trigger the server to reveal the flag, we need to provide a single header with the name host and the value flag.local. Once the server receives this header, it will return the flag in response.


└─$ curl -H "Host: flag.local"    


Flag: actf{reaching_the_core__chapter_8}