$ cat writeup.md…
$ cat writeup.md…
hackadvisor
Task: Enterprise API gateway (nginx + custom proxy + Express) blocks /admin/* via path-based ACL; proxy has case-sensitive Transfer-Encoding header parsing. Solution: WebSocket upgrade to bypass nginx's strict CL+TE rejection, then CL.TE smuggling with lowercase transfer-encoding header — gateway reads Content-Length (ignores lowercase TE), Express reads chunked (case-insensitive TE), smuggled GET /admin/flag bypasses ACL.
Permission denied (requires tier.pro)
Sign in with GitHub, Discord, or Google to continue. No email required.
$sign in$ grep --similar