cryptomedium

Firewall

uoftctf2026

Task: Web server behind an eBPF/TC firewall that blocks packets containing "flag" or "%" with per-packet stateless inspection. Solution: Bypassed the ingress filter by splitting "flag" across two TCP segments using TCP_NODELAY, and bypassed the egress filter by requesting the file in 3-byte HTTP Range chunks (smaller than the 4-byte blocked pattern).

$ ls tags/ techniques/

ebpf tc packet_filtering tcp_segmentation http_range

tcp_segmentation_bypasshttp_range_requestpacket_filter_evasion

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]