webhard

Knowledge Base

miptctf

Two Flask services: main app sends search results to internal censor via HTTP GET. Mode parameter has no length validation. Werkzeug URL length limit creates binary oracle: long text (found) triggers 414 error, short text (not found) succeeds. Error response bypasses XOR+SHA256, enabling character-by-character flag brute force.

$ ls tags/ techniques/

flask side_channel werkzeug internal_service binary_oracle url_length

url_length_oraclebinary_search_bruteforceerror_based_oracle

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]