Skip to content

Latest commit

 

History

History

toffe

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
website
website
 
 
README.md
README.md
 
 

README.md

Writeup

When starting the container I am greeted with a website that says no website hosted here. Looking at the source code I see that it is a simple html page.

<html>
    <head></head>
    <body>
        no website hosted here
    </body>
</html>

Since we are given the source I can also check around there and I see that there is a FlagController.cs file. Looking at that I see that it has a route api/flag and that it requires a secret as a header.

[ApiController]
[Route("api/flag")]
public class FlagController : ControllerBase
{
    
    [HttpGet]
    [Host("localhost:*", "impossible.ept.gg:*")]
    public string GetFlag()
    {
        var secret = Request.Headers["Secret"];
        try{
        var model = new FlagModel();
        return model.GetFlag(secret[0]);
        }catch(Exception e){
            return "This did not work, use the source";
        }

    }
}

I also see that it is setup with two hostnames only localhostand impossible.ept.gg. So trying those with the header Host I get the error message This did not work, use the source. Now looking at GetFlag function in the FlagModel.cs which seems to be the function validating my secret.

public string GetFlag(String key_word) {
    var plainKey = encrypt(Base64Decode(key_word),-13);
    if(plainKey.Equals("eptctforthewin")){
        var flag = File.ReadAllText("flag.txt");
        return flag;
    } else {
        return "This is not a flag, try again";
    }
}

Adding a random secret secret I get the other error This is not a flag, try again. So next I try to reverse the encrypt function.

static string encrypt(string value, int shift) {
    char[] buffer = value.ToCharArray();
    for (int i = 0; i < buffer.Length; i++)
    {
        char letter = buffer[i];
        letter = (char)(letter + shift);
        if (letter > 'z')
        {
            letter = (char)(letter - 26);
        }
        else if (letter < 'a')
        {
            letter = (char)(letter + 26);
        }
        buffer[i] = letter;
    }
    return new string(buffer);
}

But after looking at it it looks like a basic rot13 so I open CyberChef to generate this secret cmNncGdzYmVndXJqdmE=.

Throwing that into Curl and I get the flag.

$ curl -H "Secret: cmNncGdzYmVndXJqdmE=" -H "Host: impossible.ept.gg" http://io.ept.gg:40992/api/flag

EPT{Host_h3aders_ar3_fun_som3tim3}