0

I am going through some CTF challenges at https://recruit.osiris.cyber.nyu.edu/challenges.

I got to one for Template Programming where the task is to "Read /flag.txt from the server. http://recruit.osiris.cyber.nyu.edu:2000"

I am not asking for a solution, but I would like some better understanding of what is going on below:

  • What is this code doing?
  • Should I be worried about running out of Debugging mode and/or using host="0.0.0.0"?
  • What are some resources that could help me understand this? I tried reading through the Flask documentation and the tutorialspoint page, but I am unclear as to how this doesn't just set up a local server for testing as opposed to accessing a remote server...
  • If I ctrl+C do I need to worry about leaving a server still running on an open port when I am not in Debugging mode?
#!/usr/bin/env python3

from flask import Flask, request, abort, render_template_string
import os.path

app = Flask(__name__)

@app.route('/', methods=['GET'])
def index():
    name = request.args.get('name')
    if name is not None:
        return render_template_string(open('templates/hello.html').read().format(name=name))

    return render_template_string(open('templates/index.html').read())

if __name__ == "__main__":
    app.run(host="0.0.0.0")
Trying ToLearn
  • 27
  • 4

1 Answers1

1

I think I can answer most of these.

  1. As you probably already figured out, Flask is a fairly basic web framework. By the look of things, what you have there is a copy of the code running at the CTF site. It displays just two pages; one that contains the initial web form (templates/index.html) and another that uses a query string variable to greet the user (templates/hello.html) when a name has been provided.

  2. You don't really have to run this code yourself. The 0.0.0.0 host address is catch-all that matches all IPv4 addresses on the local machine, which would include local addresses like 192.168.0.1 and 127.0.0.1 as well as the IP address used for incoming connections to the server.

  3. Like I said, this is the code running on the remote server.

  4. I think what you need to do is find some way of crafting a request to this web service in such a way that it reveals the contents of /flag.txt instead of (or perhaps in addition to) just saying hello. A quick search for something like "flask include file vulnerability" should give you some idea of how to attack this problem.

r3mainer
  • 23,981
  • 3
  • 51
  • 88
  • Hey, thanks a lot. This makes a lot more sense now. Just to be sure (even though it is not necessary for this task) the webpage server provided by running the flask program goes down when you exit via ctrl+C? – Trying ToLearn Jun 26 '20 at 04:13
  • 1
    Yes. If I remember correctly, a Flask server lilke this will print out HTTP request logs to stdout until you quit with ^C, at which point it will stop listening to any ports. – r3mainer Jun 26 '20 at 07:38
  • Ok thanks a lot. Greatly appreciated. Felt completely stuck, but now it almost feels obvious. – Trying ToLearn Jun 26 '20 at 14:07