Depth of Code

Hani’s blog

[CTF] Hacklu'12: 20 - nerd safe house

Oct 26, 2012

By sending a simple request (using ncat / intercepting proxy):
GET / HTTP/1.0

we get the following response:
HTTP/1.1 302 Found
Date: Tue, 23 Oct 2012 16:48:43 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Location: ?cid=vp3ElnOGh7iwP
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
Connection: close

In other terms, a redirection to ?cid=vp3ElnOGh7iwP

The following request:
GET /?cid=vp3ElnOGh7iwP HTTP/1.0

will have this response in return:
HTTP/1.1 403 Forbidden
Date: Tue, 23 Oct 2012 16:50:08 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.4
X-Hint: Wrong Browser
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
Connection: close

When using a normal web browser, we see:
_

will result in:
_HTTP/1.1 200 OK
Date: Tue, 23 Oct 2012 16:52:52 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Vary: Accept-Encoding
Content-Length: 230
Content-Type: text/html
Connection: close

And that is our flag.